SP02-0070Atch1 - Reg. Guide 1.174 (Revision 1)

ML020840272
Person / Time
Issue date:	04/24/2002
From:	NRC/EDO
To:
References
-nr SECY-02-0070
Download: ML020840272 (60)
v • d • e

Text

U.S. NUCLEAR REGULATORY COMMISSION April 2002 OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE (Draft was issued as DG-1110)

REGULATORY GUIDE 1.174 Revision 1 AN APPROACH FOR USING PROBABILISTIC RISK ASSESSMENT IN RISK-INFORMED DECISIONS ON PLANT-SPECIFIC CHANGES TO THE LICENSING BASIS

1. PURPOSE AND SCOPE

1.1 INTRODUCTION

The NRCs policy statement on probabilistic risk assessment (PRA) (Ref. 1) encourages greater use of this analysis technique to improve safety decisionmaking and improve regulatory efficiency. The NRC staffs Risk-Informed Regulation Implementation Plan (Ref. 2) describes activities now under way or planned to expand this use. These activities include, for example, providing guidance for NRC inspectors on focusing inspection resources on risk-important equipment., as well as reassessing plants with relatively high core damage frequencies for possible backfits.

Another activity under way in response to the policy statement is using PRA to support decisions to modify an individual plants licensing basis (LB).1 This regulatory guide provides guidance on the use of PRA findings and risk insights in support of licensee requests for changes to a plants LB, as in requests for license amendments and technical specification changes under Sections 50.90-92 of 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities."

It does not address licensee-initiated changes to the LB that do NOT require NRC review and approval (e.g., changes to the facility as described in the final safety analysis report (FSAR), the subject of 10 CFR 50.59).

Licensee-initiated LB changes that are consistent with currently approved staff positions (e.g., regulatory guides, standard review plans, branch technical positions, or the Standard Technical Specifications) are normally evaluated by the staff using traditional engineering 1

These are modifications to a plants design, operation, or other activities that require NRC approval. These modifications could include items such as exemption requests under 10 CFR 50.11 and license amendments under 10 CFR 50.90.

This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not received complete staff review or approval and does not represent an official NRC staff position.

Public comments are being solicited on this draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rules and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Comments may be submitted electronically or downloaded through the NRCs interactive web site at <WWW.NRC.GOV> through Rulemaking. Copies of comments received may be examined at the NRC Public Document Room, 11555 Rockville Pike, Rockville, MD. Comments will be most helpful if received by September 17, 2001.

Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made to the U.S. Nuclear Regulatory Commission, Washington, DC 20555, Attention: Reproduction and Distribution Services Section, or by fax to (301)415-2289; or by email to DISTRIBUTION@NRC.GOV. Electronic copies of this draft guide are available through NRCs interactive web site (see above), on the NRCs web site <www.nrc.gov> in the Reference Library under Regulatory Guides, and in NRCs Public Electronic Reading Room at the same web site, under Accession Number ML011770102.

analyses. A licensee generally would not be expected to submit risk information in support of the proposed change.

Licensee-initiated LB change requests that go beyond current staff positions may be evaluated by the staff using traditional engineering analyses as well as the risk-informed approach set forth in this regulatory guide. A licensee may be requested to submit supplemental risk information if such information is not submitted by the licensee.

If risk information on the proposed LB change is not provided to the staff, the staff will review the information provided by the licensee to determine whether the application can be approved. Based on the information provided, using traditional methods, the NRC staff will either approve or reject the application.

However, licensees should be aware that special circumstances may arise in which new information reveals an unforeseen hazard or a substantially greater potential for a known hazard to occur, such as the identification of an issue related to the requested LB change that may substantially increase risk. In such circumstances, the NRC has the statutory authority to require licensee action above and beyond existing regulations and may request an analysis of the change in risk related to the requested LB change to demonstrate that the level of protection necessary to avoid undue risk to public health and safety (i.e., "adequate protection") would be maintained upon approval of the requested LB change.

This regulatory guide describes an acceptable method for the licensee and NRC staff to use in assessing the nature and impact of LB changes when the licensee chooses to support or is requested by the staff to support the changes with risk information. The NRC staff would review these LB changes by considering engineering issues and applying risk insights. Licensees who submit risk information (whether on their own initiative or at the request of the staff) should address each of the principles of risk-informed regulation discussed in this regulatory guide. Licensees should identify how their chosen approaches and methods (whether quantitative or qualitative, deterministic or probabilistic), data, and criteria for considering risk are appropriate for the decision to be made.

Additional guidance is provided to the NRC staff (in Appendix D to Chapter 19 of the Standard Review Plan, Ref. 3) regarding the circumstances and process under which NRC staff reviewers would request and use risk information in the review of non-risk-informed license amendment requests.

The guidance provided in this regulatory guide does not preclude other approaches for requesting changes to the LB. Rather, this regulatory guide is intended to improve consistency in regulatory decisions in areas in which the results of risk analyses are used to help justify regulatory action. As such, the principles, process, and approach discussed herein also provide useful guidance for the application of risk information to a broader set of activities than plant-specific changes to a plants LB (i.e., generic activities), and licensees are encouraged to use this guidance in that regard.

1.2 BACKGROUND

During the last several years, both the NRC and the nuclear industry have recognized that PRA has evolved to the point that it can be used increasingly as a tool in regulatory decisionmaking. In August 1995, the NRC adopted the following policy statement (Ref. 1) regarding the expanded use of PRA.

2

 The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data and in a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy.

 PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state of the art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. Where appropriate, PRA should be used to support the proposal of additional regulatory requirements in accordance with 10 CFR 50.109 (Backfit Rule).

Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.

 PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.

 The Commissions safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on need for proposing and backfitting new generic requirements on nuclear power plant licensees.

To facilitate the use of PRA, the Commission also directed the staff, in response to SECY-00-0162, Addressing PRA Quality in Risk-Informed Activities (Ref. 4), to define acceptable PRA quality. See Appendix A to this guide for details on PRA characteristics and attributes.

In its approval of the policy statement, the Commission articulated its expectation that implementation of the policy statement will improve the regulatory process in three areas: foremost, through safety decisionmaking enhanced by the use of PRA insights; through more efficient use of agency resources; and through a reduction in unnecessary burdens on licensees.

In parallel with the publication of the policy statement, the staff developed an implementation plan to define and organize the PRA-related activities being undertaken (Ref. 2). These activities cover a wide range of PRA applications and involve the use of a variety of PRA methods (with variety including both types of models used and the detail of modeling needed). For example, one application involves the use of PRA in the assessment of operational events in reactors. The characteristics of these assessments permit relatively simple PRA models to be used. In contrast, other applications require the use of detailed models.

The activities described in the PRA Implementation Plan (Ref. 2) and its updates, which is updated periodically, relate to a number of agency interactions with the regulated industry. With respect to reactor regulation, activities include, for example, developing guidance for NRC inspectors on focusing inspection resources on risk-important 3

equipment and reassessing plants with relatively high core-damage frequencies (CDF) for possible backfit.

This regulatory guide focuses on the use of PRA in a subset of the applications described in the staffs implementation plan. Its principal focus is the use of PRA findings and risk insights in decisions on proposed changes to a plants LB.

This regulatory guide also makes use of the NRCs Safety Goal Policy Statement (Ref. 5). As discussed below, one key principle in risk-informed regulation is that proposed increases in CDF and risk are small and are consistent with the intent of the Commissions Safety Goal Policy Statement. The safety goals (and associated quantitative health objectives (QHOs)) define an acceptable level of risk that is a small fraction (0.1%) of other risks to which the public is exposed. The acceptance guidelines defined in this regulatory guide (in Section 2.2.4) are based on subsidiary objectives derived from the safety goals and their QHOs.

1.3 PURPOSE OF THIS REGULATORY GUIDE Changes to many of the activities and design characteristics in a nuclear power plants LB require NRC review and approval. This regulatory guide provides the staffs recommendations for using risk information in support of licensee-initiated LB changes to a nuclear power plant that require such review and approval. The guidance provided here does not preclude other approaches for requesting LB changes. Rather, this regulatory guide is intended to improve consistency in regulatory decisions in areas in which the results of risk analyses are used to help justify regulatory action. As such, this regulatory guide, the use of which is voluntary, provides general guidance concerning one approach that the NRC has determined to be acceptable for analyzing issues associated with proposed changes to a plants LB and for assessing the impact of such proposed changes on the risk associated with plant design and operation. This guidance does not address the specific analyses needed for each nuclear power plant activity or design characteristic that may be amenable to risk-informed regulation.

1.4 SCOPE OF THIS REGULATORY GUIDE This regulatory guide describes an acceptable approach for assessing the nature and impact of proposed LB changes by considering engineering issues and applying risk insights.

Assessments should consider relevant safety margins and defense-in-depth attributes, including consideration of success criteria as well as equipment functionality, reliability, and availability. The analyses should reflect the actual design, construction, and operational practices of the plant. Acceptance guidelines for evaluating the results of such assessments are provided. This guide also addresses implementation strategies and performance monitoring plans associated with LB changes that will help ensure that assumptions and analyses supporting the change are verified.

Consideration of the Commissions Safety Goal Policy Statement (Ref. 5) is an important element in regulatory decisionmaking. Consequently, this regulatory guide provides acceptance guidelines consistent with this policy statement.

4

In theory, one could construct a more generous regulatory framework for consideration of those risk-informed changes that may have the effect of increasing risk to the public. Such a framework would include, of course, assurance of continued adequate protection (that level of protection of the public health and safety that must be reasonably assured regardless of economic cost). But it could also include provision for possible elimination of all measures not needed for adequate protection, which either do not effect a substantial reduction in overall risk or result in continuing costs that are not justified by the safety benefits. Instead, in this regulatory guide, the NRC has chosen a more restrictive policy that would permit only small increases in risk, and then only when it is reasonably assured, among other things, that sufficient defense in depth and sufficient margins are maintained. This policy is adopted because of uncertainties and to account for the fact that safety issues continue to emerge regarding design, construction, and operational matters notwithstanding the maturity of the nuclear power industry. These factors suggest that nuclear power reactors should operate routinely only at a prudent margin above adequate protection. The safety goal subsidiary objectives are used as an example of such a prudent margin.

Finally, this regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable analysis and that the results of the engineering evaluations support the licensees request for a regulatory change.

1.5 RELATIONSHIP TO OTHER GUIDANCE DOCUMENTS Directly relevant to this regulatory guide is the Standard Review Plan (SRP) designed to guide the NRC staff evaluations of licensee requests for changes to the LB that apply risk insights (Ref. 3), as well as guidance that is being developed in selected application-specific regulatory guides and the corresponding standard review plan chapters. Related regulatory guides have been developed on inservice testing, inservice inspection, graded quality assurance, and technical specifications (Refs. 6-9). An NRC contractor report (Ref. 10) is also available that provides a simple screening method for assessing one measure used in the regulatory guidelarge early release frequency. The staff recognizes that the risk analyses necessary to support regulatory decisionmaking may vary with the relative weight that is given to the risk assessment element of the decisionmaking process. The burden is on the licensee who requests a change to the LB to justify that the chosen risk assessment approach, methods, and data are appropriate for the decision to be made.

The information collections contained in this draft regulatory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Management and Budget, approval number 3150-0011. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

2. AN ACCEPTABLE APPROACH TO RISK-INFORMED DECISIONMAKING In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities (Ref. 1), the Commission stated an expectation that "the use of PRA technology should be increased in all regulatory matters . . . in a manner that complements the NRC's deterministic approach and supports the NRC's traditional 5

defense-in-depth philosophy." The use of risk insights in licensee submittals requesting LB changes will assist the staff in the disposition of such licensee proposals.

The staff has defined an acceptable approach to analyzing and evaluating proposed LB changes. This approach supports the NRCs desire to base its decisions on the results of traditional engineering evaluations, supported by insights (derived from the use of PRA methods) about the risk significance of the proposed changes. Decisions concerning proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.

In implementing risk-informed decisionmaking, LB changes are expected to meet a set of key principles. Some of these principles are written in terms typically used in traditional engineering decisions (e.g., defense in depth). While written in these terms, it should be understood that risk analysis techniques can be, and are encouraged to be, used to help ensure and show that these principles are met. These principles are:

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change, i.e., a "specific exemption" under 10 CFR 50.12 or a "petition for rulemaking" under 10 CFR 2.802.

2. The proposed change is consistent with the defense-in-depth philosophy.

3. The proposed change maintains sufficient safety margins.

4. When proposed changes result in an increase in core damage frequency or risk, the increases should be small and consistent with the intent of the Commissions Safety Goal Policy Statement (Ref. 5).2

5. The impact of the proposed change should be monitored using performance measurement strategies.

Each of these principles should be considered in the risk-informed, integrated decisionmaking process, as illustrated in Figure 1.

2 For purposes of this guide, a proposed LB change that meets the acceptance guidelines discussed in Section 2.2.4 is considered to have met the intent of the policy statement.

6

Figure 1. Principles of Risk-Informed Integrated Decisionmaking The staffs proposed evaluation approach and acceptance guidelines follow from these principles. In implementing these principles, the staff expects that:

 All safety impacts of the proposed change are evaluated in an integrated manner as part of an overall risk management approach in which the licensee is using risk analysis to improve operational and engineering decisions broadly by identifying and taking advantage of opportunities to reduce risk, and not just to eliminate requirements the licensee sees as undesirable. For those cases when risk increases are proposed, the benefits should be described and should be commensurate with the proposed risk increases. The approach used to identify changes in requirements should be used to identify areas where requirements should be increased3 as well as where they can be reduced.

 The scope, level of detail, and quality technical acceptability of the engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed LB change should be appropriate for the nature and scope of the change, should be based on the as-built and as-operated and maintained plant, and should reflect operating experience at the plant.

 The portions of the plant-specific PRA relevant to the application should contain the characteristics and attributes of a PRA as defined in Appendix A. It should also be subjected to an independent peer review to determine whether it contains these characteristics and attributes.4 3

The NRC staff is aware of but does not endorse guidelines that have been developed (e.g., by the Nuclear Energy Institute) to assist in identifying potentially beneficial changes to requirements.

4 As discussed in Section 2.2.3.3 below, such a peer review is not a replacement for NRC review. Such a process has been developed; it is the Nuclear Energy Institute (NEI) 00-02, PRA Peer Review Process Guidance (Ref. 11). This process has not been endorsed by the NRC staff at this time.

7

 The plant-specific PRA supporting the licensees proposals has been subjected to quality assurance methods and quality control methods.

 Appropriate consideration of uncertainty is given in analyses and interpretation of findings, including using a program of monitoring, feedback, and corrective action to address significant uncertainties.

 The use of core damage frequency (CDF) and large early release frequency (LERF)5 as bases for PRA acceptance guidelines is an acceptable approach to addressing Principle 4. Use of the Commissions Safety Goal QHOs in lieu of LERF is acceptable in principle, and licensees may propose their use. However, in practice, implementing such an approach would require an extension to a Level 3 PRA, in which case the methods and assumptions used in the Level 3 analysis, and associated uncertainties, would require additional attention.

 Increases in estimated CDF and LERF resulting from proposed LB changes will be limited to small increments. The cumulative effect of such changes should be tracked and considered in the decision process.

 The acceptability of proposed changes should be evaluated by the licensee in an integrated fashion that ensures that all principles are met.6

 Data, methods, and assessment criteria used to support regulatory decisionmaking must be well documented and available for public review.

Given the principles of risk-informed decisionmaking discussed above, the staff has identified a four-element approach to evaluating proposed LB changes. This approach, which is presented graphically in Figure 2, acceptably supports the NRCs decisionmaking process. This approach is not sequential in nature; rather it is iterative.

5 In this context, LERF is being used as a surrogate for the early fatality QHO. It is defined as the frequency of those accidents leading to significant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects. Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after vessel breach, containment bypass events, and loss of containment isolation. This definition is consistent with accident analyses used in the safety goal screening criteria discussed in the Commissions regulatory analysis guidelines. An NRC contractors report (Ref. 10) describes a simple screening approach for calculating LERF.

6 One important element of integrated decisionmaking can be the use of an "integrated decisionmaking panel. Such a panel is not a necessary component of risk-informed decisionmaking; but when it is used, the key principles and associated decision criteria presented in this regulatory guide still apply and must be shown to have been met or to be irrelevant to the issue at hand.

8

Figure 2. Principal Elements of Risk-Informed, Plant-Specific Decisionmaking 2.1 ELEMENT 1: DEFINE THE PROPOSED CHANGE Element 1 involves three primary activities. First, the licensee should identify those aspects of the plants LB that may be affected by the proposed change, including but not limited to rules and regulations, final safety analysis report (FSAR), technical specifications, licensing conditions, and licensing commitments. Second, the licensee should identify all structures, systems, and components (SSCs), procedures, and activities that are covered by the LB change being evaluated and should consider the original reasons for including each program requirement.

When considering LB changes, a licensee may identify regulatory requirements or commitments in its LB that it believes are overly restrictive or unnecessary to ensure safety at the plant. Note that the corollary is also true; that is, licensees are also expected to identify design and operational aspects of the plant that should be enhanced consistent with an improved understanding of their safety significance. Such enhancements should be embodied in appropriate LB changes that reflect these enhancements.

Third, with this staff expectation in mind, the licensee should identify available engineering studies, methods, codes, applicable plant-specific and industry data and operational experience, PRA findings, and research and analysis results relevant to the proposed LB change. With particular regard to the plant-specific PRA, the licensee should assess the capability to use, refine, augment, and update system models as needed to support a risk assessment of the proposed LB change.

The above information should be used collectively to describe the LB change and to outline the method of analysis. The licensee should describe the proposed change and how it meets the objectives of the NRCs PRA Policy Statement (Ref. 1), including enhanced decisionmaking, more efficient use of resources, and reduction of unnecessary burden. In addition to improvements in reactor safety, this assessment may consider benefits from the LB change such as reduced fiscal and personnel resources and radiation exposure. The licensee should affirm that the proposed LB change meets the current regulations unless the proposed change is explicitly related to a proposed 9

exemption or rule change (i.e., a "specific exemption" under 10 CFR 50.12 or a "petition for rulemaking" under 10 CFR 2.802).

2.1.1 Combined Change Requests Licensee proposals may include several individual changes to the LB that have been evaluated and will be implemented in an integrated fashion. The staff expects that, with respect to the overall net change in risk, combined change requests (CCRs) will fall in one of two broad categories, each of which may be acceptable:

1. CCRs in which any individual change increases risk;

2. CCRs in which each individual change decreases risk.

In the first category, the contribution of each individual change in the CCR must be quantified in the risk assessment and the uncertainty of each individual change must be addressed. For CCRs in the second category, qualitative analysis may be sufficient for some or all individual changes. Guidelines for use in developing CCRs are discussed below.

2.1.2 Guidelines for Developing CCRs The changes that make up a CCR should be related to one another, for example, by affecting the same single system or activity, by affecting the same safety function or accident sequence or group of sequences, or by being of the same type (e.g., changes in outage time allowed by technical specifications). However, this does not preclude acceptance of unrelated changes. When CCRs are submitted to the NRC staff for review, the relationships among the individual changes and how they have been modeled in the risk assessment should be addressed in detail, since this will control the characterization of the net result of the changes. Licensees should evaluate not only the individual changes but also the changes taken together against the safety principles and qualitative acceptance guidelines in Sections 2 and 2.2.1, respectively, of this regulatory guide. In addition, the acceptability of the cumulative impact of the changes that make up the CCR with respect to the quantitative acceptance guidelines discussed in Section 2.2.4 of this guide should be assessed.

In implementing CCRs in the first category, it is expected that the risk from significant accident sequences will not be increased and that the frequencies of the lower ranked contributors will not be increased so that they become significant contributors to risk. It is expected that no significant new sequences or cutsets will be created. In assessing the acceptability of CCRs, (1) risk increases related to the more likely initiating events (e.g., steam generator tube ruptures) should not be traded against improvements related to unlikely events (e.g., earthquakes) even if, for instance, they involve the same safety function, and (2) risk should be considered in addition to likelihood. The staff also expects that CCRs will lead to safety benefits such as simplifying plant operations or focusing resources on the most important safety items.

Proposed changes that modify one or more individual components of a previously approved CCR must also address the impact on the previously approved CCR.

Specifically, the question to be addressed is whether the proposed modification would cause the previously approved CCR to not be acceptable. If the answer is yes, the submittal should address the actions the licensee is taking with respect to the previously approved CCR.

10

2.2 ELEMENT 2: PERFORM ENGINEERING ANALYSIS The staff expects that the scope, level of detail, and quality technical acceptability of the engineering analyses conducted to justify the proposed LB change will be appropriate for the nature and scope of the change. The staff also expects that appropriate consideration will be given to uncertainty in the analysis and interpretation of findings. The licensee is expected to use judgment on the complexity and difficulty of implementing the proposed LB change to decide upon appropriate engineering analyses to support regulatory decisionmaking. Thus, the licensee should consider the appropriateness of qualitative and quantitative analyses, as well as analyses using traditional engineering approaches and those techniques associated with the use of PRA findings. Regardless of the analysis methods chosen, the licensee must show that the principles set forth in Section 2 have been met through the use of scrutable acceptance guidelines established for making that determination.

Some proposed LB changes can be characterized as involving the categorization of SSCs according to safety significance. An example is grading the application of quality assurance controls commensurate with the safety significance of equipment. Like other applications, the staffs review of LB change requests for applications involving safety categorization will be according to the acceptance guidelines associated with each key principle presented in this regulatory guide, unless equivalent guidelines are proposed by the licensee. Since risk-importance measures are often used in such categorizations, guidance on their use is provided in Appendix BA to this regulatory guide. Other application-specific guidance documents address guidelines associated with the adequacy of programs (in this example, quality controls) implemented for different safety-significant categories (e.g., more safety significant and less safety significant).

Licensees are encouraged to apply risk-informed findings and insights to decisions (and potential LB requests).

As part of the second element, the licensee will evaluate the proposed LB change with regard to the principles that adequate defense-in-depth is maintained, that sufficient safety margins are maintained, and that proposed increases in core damage frequency and risk are small and are consistent with the intent of the Commissions Safety Goal Policy Statement.

2.2.1 Evaluation of Defense-in-Depth Attributes and Safety Margins One aspect of the engineering evaluations is to show that the fundamental safety principles on which the plant design was based are not compromised. Design basis accidents (DBAs) play a central role in nuclear power plant design. DBAs are a combination of postulated challenges and failure events against which plants are designed to ensure adequate and safe plant response. During the design process, plant response and associated safety margins are evaluated using assumptions that are intended to be conservative. National standards and other considerations such as defense-in-depth attributes and the single failure criterion constitute additional engineering considerations that influence plant design and operation. Margins and defenses associated with these considerations may be affected by the licensees proposed LB change and, therefore, should be reevaluated to support a requested LB change. As part of this evaluation, the impact of the proposed LB change on affected equipment functionality, reliability, and availability should be determined.

11

2.2.1.1 Defense in Depth. The engineering evaluation should evaluate whether the impact of the proposed LB change (individually and cumulatively) is consistent with the defense-in-depth philosophy. In this regard, the intent of the principle is to ensure that the philosophy of defense in depth is maintained, not to prevent changes in the way defense in depth is achieved. The defense-in-depth philosophy has traditionally been applied in reactor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance. If a comprehensive risk analysis is done, it can be used to help determine the appropriate extent of defense in depth (e.g., balance among core damage prevention, containment failure, and consequence mitigation) to ensure protection of public health and safety.

When a comprehensive risk analysis is not or cannot be done, traditional defense-in-depth considerations should be used or maintained to account for uncertainties. The evaluation should consider the intent of the general design criteria, national standards, and engineering principles such as the single failure criterion. Further, the evaluation should consider the impact of the proposed LB change on barriers (both preventive and mitigative) to core damage, containment failure or bypass, and the balance among defense-in-depth attributes. As stated earlier, the licensee should select the engineering analysis techniques, whether quantitative or qualitative, traditional or probabilistic, appropriate to the proposed LB change.

The licensee should assess whether the proposed LB change meets the defense-in-depth principle. Defense in depth consists of a number of elements, as summarized below. These elements can be used as guidelines for making that assessment. Other equivalent acceptance guidelines may also be used.

Consistency with the defense-in-depth philosophy is maintained if:

 A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation.

 Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

 System redundancy, independence, and diversity are preserved commensurate with the expected frequency, consequences of challenges to the system, and uncertainties (e.g., no risk outliers).

 Defenses against potential common cause failures are preserved, and the potential for the introduction of new common cause failure mechanisms is assessed.

 Independence of barriers is not degraded.

 Defenses against human errors are preserved.

 The intent of the General Design Criteria in Appendix A to 10 CFR Part 50 is maintained.

2.2.1.2 Safety Margins. The engineering evaluation should assess whether the impact of the proposed LB change is consistent with the principle that sufficient safety margins are maintained. Here also, the licensee is expected to choose the method of 12

engineering analysis appropriate for evaluating whether sufficient safety margins would be maintained if the proposed LB change were implemented. An acceptable set of guidelines for making that assessment is summarized below. Other equivalent acceptance guidelines may also be used. With sufficient safety margins:

 Codes and standards or their alternatives approved for use by the NRC are met.

 Safety analysis acceptance criteria in the LB (e.g., FSAR, supporting analyses) are met, or proposed revisions provide sufficient margin to account for analysis and data uncertainty.

Application-specific guidelines reflecting this general guidance have been developed and may be found in the application-specific regulatory guides (Refs. 6-9).

2.2.2 Evaluation of Risk Impact, Including Treatment of Uncertainties The licensees risk assessment may be used to address the principle that proposed increases in CDF and risk are small and are consistent with the intent of the NRCs Safety Goal Policy Statement (Ref. 5). For purposes of implementation, the licensee should assess the expected change in CDF and LERF. The necessary sophistication of the evaluation, including the scope of the PRA (e.g., internal events only, full power only), depends on the contribution the risk assessment makes to the integrated decisionmaking, which depends to some extent on the magnitude of the potential risk impact. For LB changes that may have a more substantial impact, an in-depth and comprehensive PRA analysis, one appropriate to derive a quantified estimate of the total impact of the proposed LB change, will be necessary to provide adequate justification. In other applications, calculated risk-importance measures or bounding estimates will be adequate. In still others, a qualitative assessment of the impact of the LB change on the plants risk may be sufficient.

The remainder of this section discusses the use of quantitative PRA results in decisionmaking. This discussion has three parts:

1. A fundamental element of NRCs risk-informed regulatory process is a PRA of sufficient scope, level of detail, and technical acceptability for the intended application. Section 2.2.3 discusses the staffs expectations with respect to the needed PRAs scope, level of detail, and technical acceptability.

2. PRA results are to be used in this decisionmaking process in two waysto assess the overall baseline CDF/LERF of the plant and to assess the CDF/LERF impact of the proposed change. Section 2.2.4 discusses the acceptance guidelines to be used by the staff for each of these measures.

3. One of the strengths of the PRA framework is its ability to characterize the impact of uncertainty in the analysis, and it is essential that these uncertainties be recognized when assessing whether the principles are being met. Section 2.2.5 provides guidelines on how the uncertainty is to be addressed in the decisionmaking process.

The staff's decision on the proposed LB change will be based on its independent judgment and review of the entire application.

13

2.2.3 Quality of PRA Analysis The quality of a PRA analysis used to support an application is measured in terms of its appropriateness with respect to scope, level of detail, and technical acceptability.

The scope, level of detail, and technical acceptability of the PRA are to be commensurate with the application for which it is intended and the role the PRA results play in the integrated decision process. The more emphasis that is put on the risk insights and on PRA results in the decisionmaking process, the more requirements that have to be placed on the PRA, in terms of both scope and how well the risk and the change in risk is assessed.

Conversely, emphasis on the PRA scope, level of detail, and technical acceptability can be reduced if a proposed change to the LB results in a risk decrease or is very small, or if the decision could be based mostly on traditional engineering arguments, or if compensating measures are proposed such that it can be convincingly argued that the change is very small.

Since this regulatory guide is intended for a variety of applications, the required scope, level of detail, and technical acceptability may vary. One over-riding requirement is that the PRA should realistically reflect the actual design, construction, operational practices, and operational experience of the plant and its owner. This should include the licensees voluntary actions as well as regulatory requirements, and the PRA used to support risk-informed decisionmaking should also reflect the impact of previous changes made to the LB.

2.2.3.1 Scope. For PRAs used in risk-informed activities, the following scope and level of risk characterization, as summarized in Table 1, are considered.

Plant operating states (POSs) are used to subdivide the plant operating cycle into unique states such that the plant response can be assumed to be the same for all subsequent accident initiating events. Operational characteristics (such as reactor power level; in-vessel temperature, pressure, and coolant level; equipment operability; and changes in decay heat load or plant conditions that allow new success criteria) are examined to identify those important to defining plant operational states. The important characteristics are used to define the states and the fraction of time spent in each state is estimated using plant specific information. The risk perspective is based on the total risk connected with the operation of the reactor, which includes not only full power operation, but low power and shutdown conditions. Therefore, to gain the maximum benefit from a PRA, the model addresses all modes of operation.

14

Table 1 List of Items Defining PRA Scope and Risk Characterization Item Desired Scope and Level of Risk Characterization POS full and low power, hot and cold shutdown Initiating internal

• transients

• LOCAs

• floods

• fires Events external

• seismic events

• high wind

• others Risk Level 1: core damage frequency Characterization Level 2: large early release frequency and long-term containment integrity Level 3: not required Initiating events are the events that have the ability to challenge the condition of the plant. These events include failure of equipment from either internal plant causes such as hardware faults, operator actions, floods or fires, or external plant causes such as earthquakes or high winds. The risk perspective is based on the total risk connected with the operation of the reactor, which includes events from both internal and external sources. Therefore, to gain the maximum benefit from a PRA, the model should address both internal and external initiating events.

The metrics used for risk characterization in risk-informed applications are CDF and LERF (as a surrogate for early fatalities). Issues related to the reliability of barriers, in particular containment integrity and consequence mitigation, are addressed through consideration of defense in depth. To provide the risk perspective for use in decisionmaking, a Level 1 PRA is required. A limited Level 2 PRA is needed to address LERF and may be helpful in addressing issues related to long-term containment integrity.

A Level 3 PRA is not required.

Although the assessment of the risk implications in light of the acceptance guidelines discussed in Section 2.2.4 requires that all plant operating modes and initiating events be addressed, it is not necessary to have a PRA that treats all these modes and initiating events. A qualitative treatment of the missing modes and initiators may be sufficient in many cases. Section 2.2.5 discusses this further.

Table 2 provides a list of general technical elements required to provide acceptable results for a PRA. A PRA that is missing one or more of these elements would not be considered a complete PRA.

15

Table 2 Technical Elements of an Acceptable PRA Scope/Level Technical Element of Analysis Applicable to all Internal & External Events Level 1

• Initiating event analysis

• Parameter estimation analysis

• Success criteria analysis

• Human reliability analysis

• Accident sequence analysis

• Quantification

• Systems analysis

• Interpretation of results

• Internal flood analysis

• Internal fire analysis

• External hazards analysis Level 2

• Plant damage state analysis

• Quantification

• Accident progression analysis *Interpretation of results Although the assessment of the risk implications in light of the acceptance guidelines discussed in Section 2.2.4 requires that all plant operating modes and initiating events be addressed, it is not necessary to have a PRA of such scope that it treats all operating modes and initiating events. A qualitative treatment of the missing modes and initiators may be sufficient in many cases. Section 2.2.5 discusses this further.

2.2.3.2 Level of Detail Required To Support an Application. The level of detail required of the PRA is that which is sufficient to model the impact of the proposed change. The characterization of the problem should include establishing a cause-effect relationship to identify portions of the PRA affected by the issue being evaluated.

Full-scale applications of the PRA should reflect this cause-effect relationship in a quantification of the impact on the PRA elements. For applications like component categorization, sensitivity studies on the effects of the change may be sufficient. For other applications it may be adequate to define the qualitative relationship of the impact on the PRA elements or only identify which elements are impacted.

If the impacts of a change to the plant cannot be associated with elements of the PRA, the PRA should be modified accordingly or the impact of the change should be evaluated qualitatively as part of the integrated decisionmaking panel process, as discussed in Appendix A Section 2.2.6. In any case, the effects of the changes on the reliability and unavailability of systems, structures, and components or on operator actions should be appropriately accounted for.

2.2.3.3 PRA Technical Acceptability. In the current context, technical acceptability will be defined understood as being determined by measuring the adequacy of the actual modeling and the reasonableness of the assumptions and approximations. A PRA used in risk-informed regulation should be performed correctly, in a manner that is consistent with accepted practices, commensurate with the scope, and level of detail, and technical acceptability required as discussed above. Appendix A provides a summary of the characteristics and attributes of a PRA acceptable to the staff. Several different approaches may be used to assess the technical acceptability of a PRA. Regardless of 16

the approach chosen, they all must assess technical acceptability against characteristics and attributes as described in Appendix A. One approach a licensee could use to assess this technical acceptability is to perform a peer review of the PRA. In this case, the submittal should document the review process described in Appendix A. The documentation should include the qualification of the reviewers, the summarized review findings, and resolutions to these findings where applicable. Industry PRA certification programs and PRA cross-comparison studies could also be used to help assess appropriate scope, level of detail, and technical acceptability of the PRA. If such programs or studies are to be used, a description of the program, including the approach and standard or guidelines to which the PRA is compared, the depth of the review, and the make-up and qualifications of the personnel involved should be provided for NRC review. Based on the peer review or certification process and on the findings from this process, the licensee should justify why the PRA is adequate for the present application in terms of scope, level of detail, and technical acceptability. A staff review cannot be replaced in its entirety by a peer review, a certification, or cross-comparison, although the more confidence the staff has in the review that has been performed for the licensee, the less rigor should be expected in the staff review.7 (delete footnote)

The staff is currently developing a regulatory guide to endorse the ASME PRA standard. This new guide will provide guidance on how the PRA standard may be used to better understand the level of confidence in the PRA results and their role in decision-making. Also forming a part of the guide will be the staff endorsement of PRA standards or industry programs, including exceptions or additional staff requirements.

The NRC has not developed its own formal standards nor has it yet endorsed an industry standard for PRAs submitted in support of applications for changes to a plants LB that are covered by this regulatory guide. However, the NRC continues to support ongoing initiatives to develop such industry PRA standards and expects that ultimately PRA standards will be developed and endorsed by the NRC that are suitable for regulatory decisionmaking as described in this regulatory guide. Standards either completed or cCurrently under development cover are standards for internal events, external events (e.g., seismic events), low power and shutdown conditions.8 In the interim, the NRC staff is continuing to evaluate PRAs submitted in support of specific applications using the guidelines given in Sections 2.2.3 (including Appendix A) and Section 2.5 of this regulatory guide, and Chapter 19 of the Standard Review Plan (Ref. 3),

and the information contained in SECY-00-0162 (Ref. 4) which defines minimum technical attributes for a technically acceptable PRA. and is folding the experience gained from 7

In April 2000, the Nuclear Energy Institute (NEI) submitted a process (Ref. 11) for a peer review of licensee PRAs for use in categorizing SSCs with respect to special treatment requirements (i.e., supporting NRCs risk-informed "Option 2" work (SECY-99-256, Ref. 12)). This peer review process may also be of use in LB changes (as well as other regulatory activities not addressed here) since NEI now considers the process applicable to all risk-informed licensee submittals. ; if so, future revisions of this guide may endorse this certification process.

8 The American Society of Mechanical Engineers (ASME) is developing a draft standard, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications"; it will be for Level 1 and Level 2 (LERF only) PRAs for internal events (excluding fire) that occur during full-power operations.

The American Nuclear Society (ANS) is developing a draft standard for external events (e.g.,

seismic events, including seismic margins, wind, flood), "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications: External Events." The ANS is also developing a draft standard for low-power and shutdown conditions, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications: Low Power and Shutdown." In addition, the various engineering professional societies are considering developing a fire PRA.

17

these reviews back into the standards development process. In addition, the references and bibliography provide information that licensees may find useful in deciding on the acceptability of their PRA.

2.2.4 Acceptance Guidelines The risk-acceptance guidelines presented in this regulatory guide are based on the principles and expectations for risk-informed regulation discussed in Section 2, and they are structured as follows. Regions are established in the two planes generated by a measure of the baseline risk metric (CDF or LERF) along the x-axis, and the change in those metrics (³CDF or ³LERF) along the y-axis (Figures 3 and 4) and acceptance guidelines are established for each region as discussed below. These guidelines are intended for comparison with a full-scope (including internal events, external events, full power, low power, and shutdown) assessment of the change in risk metric, and when necessary, as discussed below, the baseline value of the risk metric (CDF or LERF).

However, it is recognized that many PRAs are not full scope and PRA information of less than full scope may be acceptable as discussed in Section 2.2.5 of this regulatory guide.

Figure 3. Acceptance Guidelines* for Core Damage Frequency (CDF)

• The analysis will be subject to increased technical review and management attention as indicated by the darkness of the shading of the figure. In the context of the integrated decisionmaking, the boundaries between regions should not be interpreted as being definitive; the numerical values associated with defining the regions in the figure are to be interpreted as indicative values only.

There are two sets of acceptance guidelines, one for CDF and one for LERF, and both sets should be used.

18

Figure 4 Acceptance Guidelines* for Large Early Release Frequency (LERF)

• The analysis will be subject to increased technical review and management attention as indicated by the darkness of the shading of the figure. In the context of the integrated decisionmaking, the boundaries between regions should not be interpreted as being definitive; the numerical values associated with defining the regions in the figure are to be interpreted as indicative values only.

 If the application clearly can be shown to result in a decrease in CDF, the change will be considered to have satisfied the relevant principle of risk-informed regulation with respect to CDF. (Because Figure 3 is drawn on a log scale, this region is not explicitly indicated on the figure.)

 When the calculated increase in CDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total CDF (Region III). While there is no requirement to calculate the total CDF, if there is an indication that the CDF may be considerably higher than 10-4 per reactor year, the focus should be on finding ways to decrease rather than increase it. Such an indication would result, for example, if (1) the contribution to CDF calculated from a limited scope analysis, such as the individual plant examination (IPE) or the individual plant examination of external events (IPEEE), significantly exceeds 10-4, (2) a potential vulnerability has been identified from a margins-type analysis, or (3) historical experience at the plant in question has indicated a potential safety concern.

 When the calculated increase in CDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be reasonably shown that the total CDF is less than 10-4 per reactor year (Region II).

19

 Applications that result in increases to CDF above 10-5 per reactor year (Region I) would not normally be considered.

AND

 If the application clearly can be shown to result in a decrease in LERF, the change will be considered to have satisfied the relevant principle of risk-informed regulation with respect to LERF. (Because Figure 4 is drawn with a log scale, this region is not explicitly indicated on the figure.)

 When the calculated increase in LERF is very small, which is taken as being less than 10-7 per reactor year, the change will be considered regardless of whether there is a calculation of the total LERF (Region III). While there is no requirement to calculate the total LERF, if there is an indication that the LERF may be considerably higher than 10-5 per reactor year, the focus should be on finding ways to decrease rather than increase it. Such an indication would result, for example, if (1) the contribution to LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, significantly exceeds 10-5, (2) a potential vulnerability has been identified from a margins-type analysis, or (3) historical experience at the plant in question has indicated a potential safety concern.

 When the calculated increase in LERF is in the range of 10-7 per reactor year to 10-6 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than 10-5 per reactor year (Region II).

 Applications that result in increases to LERF above 10-6 per reactor year (Region I) would not normally be considered.

These guidelines are intended to provide assurance that proposed increases in CDF and LERF are small and are consistent with the intent of the Commissions Safety Goal Policy Statement (Ref. 5).

As indicated by the shading on the figures, the change request will be subject to an NRC technical and management review that will become more intensive when the calculated results are closer to the region boundaries.

The guidelines discussed above are applicable for full-power, low-power, and shutdown operations. However, during certain shutdown operations when the containment function is not maintained, the LERF guideline as defined above is not practical. In those cases, licensees may use more stringent baseline CDF guidelines (e.g., 10-5 per reactor year) to maintain an equivalent risk profile or may propose an alternative guideline to LERF that meets the intent of Principle 4 (see Figure 1).

The risk analyses from which the current LERF guidelines were derived are based on UO2 fueled cores at power levels up to 3800 Mwt and fuel burnups of approximately 40,000 MWD/MT. Small increases in power level to a resultant power level, no more than 3800Mwt, are not expected to have any appreciable effect on the current LERF guideline.

However, power level increases resulting in levels above 3800 Mwt may need to be evaluated for their impact on these LERF guidelines.

20

Changes in fuel burnup are also not expected to have any appreciable effect on the current LERF guideline because early fatality risks are dominated by the short-lived fission products, while high burnup primarily affects the long-lived fission products. To address these issues, the NRC is convening a group of experts to identify and to rank in importance the phenomena related to high burnup and mixed oxide (MOX) source terms.

The experts report is expected to be published for public comment. The NRC staff will use the results of this expert elicitation to establish the basis for any changes to the current LERF guidelines that may be proposed.

Current LERF guidelines are based upon assumptions of reactor power level, fuel burnup rates and extent of use of mixed oxide fuel. The staff is undertaking an evaluation of the impact, if any, of increases in these parameter on LERF.

The technical review that relates to the risk evaluation will address the scope, level of detail, and technical acceptability of the analysis, including consideration of uncertainties as discussed in the next section. Aspects covered by the management review are discussed in Section 2.2.6, Integrated Decisionmaking, and include factors that are not amenable to PRA evaluation.

2.2.5 Comparison of PRA Results with the Acceptance Guidelines This section provides guidance on comparing the results of the PRA with the acceptance guidelines described in Section 2.2.4. In the context of integrated decisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive. They are intended to provide an indication, in numerical terms, of what is considered acceptable. As such, the numerical values associated with defining the regions in Figures 3 and 4 of this regulatory guide are approximate values that provide an indication of the changes that are generally acceptable. Furthermore, the state of knowledge, or epistemic, uncertainties associated with PRA calculations preclude a definitive decision with respect to which region the application belongs in based purely on the numerical results.

The intent of comparing the PRA results with the acceptance guidelines is to demonstrate with reasonable assurance that Principle 4, discussed in Section 2, is being met. This decision must be based on a full understanding of the contributors to the PRA results and the impacts of the uncertainties, both those that are explicitly accounted for in the results and those that are not. This is a somewhat subjective process, and the reasoning behind the decisions must be well documented. Guidance on what should be addressed follows in Section 2.2.5.4; but first, the types of uncertainty that impact PRA results and methods typically used for their analysis are briefly discussed. More information can be found in some of the publications in the Bibliography.

2.2.5.1 Types of Uncertainty and Methods of Analysis. There are two facets to uncertainty that, because of their natures, must be treated differently when creating models of complex systems. They have recently been termed aleatory and epistemic uncertainty. The aleatory uncertainty is that addressed when the events or phenomena being modeled are characterized as occurring in a "random" or "stochastic" manner, and probabilistic models are adopted to describe their occurrences. It is this aspect of uncertainty that gives PRA the probabilistic part of its name. The epistemic uncertainty is that associated with the analysts confidence in the predictions of the PRA model itself, and it reflects the analysts assessment of how well the PRA model represents the actual 21

system being modeled. This has been referred to as state-of-knowledge uncertainty. In this section, it is the epistemic uncertainty that is discussed; the aleatory uncertainty is built into the structure of the PRA model itself.

Because they are generally characterized and treated differently, it is useful to identify three classes of uncertainty that are addressed in and impact the results of PRAs:

parameter uncertainty, model uncertainty, and completeness uncertainty. Completeness uncertainty can be regarded as one aspect of model uncertainty, but because of its importance, it is discussed separately. The Bibliography may be consulted for additional information on definitions of terms and approaches to the treatment of uncertainty in PRAs.

2.2.5.2 Parameter Uncertainty. Each of the models that is used, either to develop the PRA logic structure or to represent the basic events of that structure, has one or more parameters. Typically, each of these models (e.g., the Poisson model for initiating events) is assumed to be appropriate. However, the parameter values for these models are often not known perfectly. Parameter uncertainties are those associated with the values of the fundamental parameters of the PRA model, such as equipment failure rates, initiating event frequencies, and human error probabilities that are used in the quantification of the accident sequence frequencies. They are typically characterized by establishing probability distributions on the parameter values. These distributions can be interpreted as expressing the analysts degree of belief in the values these parameters could take, based on his state of knowledge and conditional on the underlying model being correct. It is straightforward and within the capability of most PRA codes to propagate the distribution representing uncertainty on the basic parameter values to generate a probability distribution on the results (e.g., CDF, accident sequence frequencies, LERF) of the PRA. However, the analysis must be done to correlate the sample values for different PRA elements from a group to which the same parameter value applies (the so-called state-of-knowledge dependency; see Ref. 13).

2.2.5.3 Model Uncertainty. The development of the PRA model is supported by the use of models for specific events or phenomena. In many cases, the industrys state of knowledge is incomplete, and there may be different opinions on how the models should be formulated. Examples include approaches to modeling human performance, common cause failures, and reactor coolant pump seal behavior upon loss of seal cooling.

This gives rise to model uncertainty. In many cases, the appropriateness of the models adopted is not questioned and these models have become, de facto, the standard models to use.

Examples include the use of Poisson and binomial models to characterize the probability of occurrence of component failures. For some issues with well-formulated alternative models, PRAs have addressed model uncertainty by using discrete distributions over the alternative models, with the probability associated with a specific model representing the analysts degree of belief that model is the most appropriate. A good example is the characterization of the seismic hazard as different hypotheses lead to different hazard curves, which can be used to develop a discrete probability distribution of the initiating event frequency for earthquakes. Other examples can be found in the Level 2 analysis.

Another approach to addressing model uncertainty has been to adjust the results of a single model through the use of an adjustment factor. However it is formulated, an 22

explicit representation of model uncertainty can be propagated through the analysis in the same way as parameter uncertainty. More typically, however, particularly in the Level 1 analysis, the use of different models would result in the need for a different structure (e.g.,

with different thermal hydraulic models used to determine success criteria). In such cases, uncertainties in the choice of an appropriate model are typically addressed by making assumptions and, as in the case of the component failure models discussed above, adopting a specific model.

PRAs model the continuum of possible plant states in a discrete way, and are, by their very nature, approximate models of the world. This results in some random (aleatory) aspects of the world not being addressed except in a bounding way, e.g.,

different realizations of an accident sequence corresponding to different LOCA sizes (within a category) are treated by assuming a bounding LOCA, time of failure of an operating component assumed to occur at the moment of demand. These approximations introduce biases (uncertainties) into the results.

In interpreting the results of a PRA, it is important to develop an understanding of the impact of a specific assumption or choice of model on the predictions of the PRA.

This is true even when the model uncertainty is treated probabilistically, since the probabilities, or weights, given to different models would be subjective. The impact of using alternative assumptions or models may be addressed by performing appropriate sensitivity studies, or they may be addressed using qualitative arguments, based on an understanding of the contributors to the results and how they are impacted by the change in assumptions or models. The impact of making specific modeling approximations may be explored in a similar manner.

2.2.5.4 Completeness Uncertainty. Completeness is not in itself an uncertainty, but a reflection of scope limitations. The result is, however, an uncertainty about where the true risk lies. The problem with completeness uncertainty is that, because it reflects an unanalyzed contribution, it is difficult (if not impossible) to estimate its magnitude.

Some contributions are unanalyzed not because methods are not available, but because they have not been refined to the level of the analysis of internal events. Examples are the analysis of some external events and the low power and shutdown modes of operation. There are issues, however, for which methods of analysis have not been developed, and they have to be accepted as potential limitations of the technology. Thus, for example, the impact on actual plant risk from unanalyzed issues such as the influences of organizational performance cannot now be explicitly assessed.

The issue of completeness of scope of a PRA can be addressed for those scope items for which methods are in principle available, and therefore some understanding of the contribution to risk exists, by supplementing the analysis with additional analysis to enlarge the scope, using more restrictive acceptance guidelines, or by providing arguments that, for the application of concern, the out-of-scope contributors are not significant. Approaches acceptable to the NRC staff for dealing with incompleteness are discussed in the next section.

2.2.5.5 Comparisons with Acceptance Guidelines. The different regions of the acceptance guidelines require different depths of analysis. Changes resulting in a net decrease in the CDF and LERF estimates do not require an assessment of the calculated baseline CDF and LERF. Generally, it should be possible to argue on the basis of an 23

understanding of the contributors and the changes that are being made that the overall impact is indeed a decrease, without the need for a detailed quantitative analysis.

If the calculated values of CDF and LERF are very small, as defined by Region III in Figures 3 and 4, a detailed quantitative assessment of the baseline value of CDF and LERF will not be necessary. However, if there is an indication that the CDF or LERF could considerably exceed 10-4 and 10-5 respectively, in order for the change to be considered the licensee may be required to present arguments as to why steps should not be taken to reduce CDF or LERF. Such an indication would result, for example, if (1) the contribution to CDF or LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, significantly exceeds 10-4 and 10-5 respectively, (2) there has been an identification of a potential vulnerability from a margins-type analysis, or (3) historical experience at the plant in question has indicated a potential safety concern.

For larger values of ³CDF and ³LERF, which lie in the range used to define Region II, an assessment of the baseline CDF and LERF is required.

To demonstrate compliance with the numerical guidelines, the level of detail required in the assessment of the values and the analysis of uncertainty related to model and incompleteness issues will depend on both (1) the LB change being considered and (2) the importance of the demonstration that Principle 4 has been met. In Region III of Figures 3 and 4, the closer the estimates of ³CDF or ³LERF are to their corresponding acceptance guidelines, the more detail will be required. Similarly, in Region II of Figures 3 and 4, the closer the estimates of ³CDF or ³LERF and CDF and LERF are to their corresponding acceptance guidelines, the more detail will be required. In a contrasting example, if the estimated value of a particular metric is very small compared to the acceptance goal, a simple bounding analysis may suffice with no need for a detailed uncertainty analysis.

Because of the way the acceptance guidelines were developed, the appropriate numerical measures to use in the initial comparison of the PRA results to the acceptance guidelines are mean values. The mean values referred to are the means of the probability distributions that result from the propagation of the uncertainties on the input parameters and those model uncertainties explicitly represented in the model. While a formal propagation of the uncertainty is the best way to correctly account for state-of-knowledge uncertainties that arise from the use of the same parameter values for several basic event probability models, under certain circumstances, a formal propagation of uncertainty may not be required if it can be demonstrated that the state-of-knowledge correlation is unimportant. This will involve, for example, a demonstration that the bulk of the contributing scenarios (cutsets or accident sequences) do not involve multiple events that rely on the same parameter for their quantification.

Consistent with the viewpoint that the guidelines are not to be used prescriptively, even if the calculated ³CDF and ³LERF values are such that they place the change in Region I or II, it may be possible to make a case that the application should be treated as if it were in Region II or III if, for example, it is shown that there are unquantified benefits that are not reflected in the quantitative risk results. However, care should be taken that there are no unquantified detrimental impacts of the change, such as an increase in operator burden. In addition, if compensatory measures are proposed to counter the impact of the major risk contributors, even though the impact of these measures may not be estimated numerically, such arguments will be considered in the decision process.

24

While the analysis of parametric uncertainty is fairly mature, and is addressed adequately through the use of mean values, the analysis of the model and completeness uncertainties cannot be handled in such a formal manner. Whether the PRA is full scope or only partial scope, and whether it is only the change in metrics or both the change and baseline values that need to be estimated, it will be incumbent on the licensee to demonstrate that the choice of reasonable alternative hypotheses, adjustment factors, or modeling approximations or methods to those adopted in the PRA model would not significantly change the assessment. This demonstration can take the form of well formulated sensitivity studies or qualitative arguments. In this context, "reasonable" is interpreted as implying some precedent for the alternative, such as use by other analysts, and also that there is a physically reasonable basis for the alternative. It is not the intent that the search for alternatives should be exhaustive and arbitrary. For the decisions that involve only assessing the change in metrics, the number of model uncertainty issues to be addressed will be smaller than for the case of the baseline values, when only a portion of the model is affected. The alternatives that would drive the result toward unacceptableness should be identified and sensitivity studies performed or reasons given as to why they are not appropriate for the current application or for the particular plant. In general, the results of the sensitivity studies should confirm that the guidelines are still met even under the alternative assumptions (i.e., change generally remains in the appropriate region). Alternatively, this analysis can be used to identify candidates for compensatory actions or increased monitoring. The licensee should pay particular attention to those assumptions that impact the parts of the model being exercised by the change.

When the PRA is not full scope, it is necessary for the licensee to address the significance of the out-of-scope items. The importance of assessing the contribution of the out-of-scope portions of the PRA to the base case estimates of CDF and LERF is related to the margin between the as-calculated values and the acceptance guidelines.

When the contributions from the modeled contributors are close to the guidelines, the argument that the contribution from the missing items is not significant must be convincing, and in some cases may require additional PRA analyses. When the margin is significant, a qualitative argument may be sufficient. The contribution of the out-of-scope portions of the model to the change in metric may be addressed by bounding analyses, detailed analyses, or by a demonstration that the change has no impact on the unmodeled contributors to risk. In addition, it should also be demonstrated that changes based on a partial PRA do not disproportionally change the risk associated with those accident sequences that arise from the modes of operation not included in the PRA.

One alternative to an analysis of uncertainty is to design the proposed LB change such that the major sources of uncertainty will not have an impact on the decisionmaking process. For example, in the region of the acceptance guidelines where small increases are allowed regardless of the value of the baseline CDF or LERF, the proposed change to the LB could be designed such that the modes of operation or the initiating events that are missing from the analysis would not be affected by the change. In these cases, incompleteness would not be an issue. Similarly, in such cases, it would not be necessary to address all the model uncertainties, but only those that impact the evaluation of the change.

If only a Level 1 PRA is available, in general, only the CDF is calculated and not the LERF. An approach is presented in Reference 10 that allows a subset of the core damage accidents identified in the Level 1 analysis to be allocated to a release category that is equivalent to a LERF. The approach uses simplified event trees that can be 25

quantified by the licensee on the basis of the plant configuration applicable to each accident sequence in the Level 1 analysis. The frequency derived from these event trees can be compared to the LERF acceptance guidelines. The approach described in Reference 10 may be used to estimate LERF only in those cases when the plant is not close to the CDF and LERF benchmark values.

2.2.6 Integrated Decisionmaking In making a regulatory decision, risk insights are integrated with considerations of defense in depth and safety margins. The degree to which the risk insights play a role, and therefore the need for detailed staff review, is application dependent.

Quantitative risk results from PRA calculations are typically the most useful and complete characterization of risk, but they are generally supplemented by qualitative risk insights and traditional engineering analysis. Qualitative risk insights include generic results that have been learned from the numerous PRAs that have been performed in the past decades and from operational experience. For example, if one is deciding which motor-operated valves in a plant can be subject to less frequent testing, the plant-specific PRA results can be compared with results from similar plants. This type of comparison can give support to the licensees analysis and reduce the reliance of the staff review on the technical acceptability of the licensee PRA. However, as a general rule, applications that impact large numbers of SSCs will benefit from a PRA of high technical quality.

Traditional engineering analysis provides insight into available margins and defense in depth. In the example of the operational assessment of steam generator tubes discussed later in this section, it is traditional engineering analysis that provides assurance that structural integrity and leakage criteria have been satisfied. With few exceptions, these assessments are performed without any quantification of risk.

The results of the different elements of the engineering analyses discussed in Sections 2.2.1 and 2.2.2 must be considered in an integrated manner. None of the individual analyses is sufficient in and of itself. In this way, it can be seen that the decision will not be driven solely by the numerical results of the PRA. They are one input into the decisionmaking and help in building an overall picture of the implications of the proposed change on risk. The PRA has an important role in putting the change into its proper context as it impacts the plant as a whole. The PRA analysis is used to demonstrate that Principle 4 has been satisfied. As the discussion in the previous section indicates, both quantitative and qualitative arguments may be brought to bear. Even though the different pieces of evidence used to argue that the principle is satisfied may not be combined in a formal way, they need to be clearly documented.

In general, a risk-informed application will require some quantitative risk calculations using PRA methods. In some cases, the use of PRA will be extensive and will be crucial to the success of the application. There are some proposals for real-time use of the PRA and associated risk management software as a tool to assess plant configuration. The more ambitious proposals involve the use of risk meters. For example, the NRC and industry are cooperating on the risk-informed standard technical specification (RI-STS) project. If such a process were eventually adopted, one element might be to replace the traditional limiting conditions for operation (LCO) action statements with a PRA-oriented approach. When a licensee encounters an LCO, rather than shutting down the plant, it might be authorized to use the plant PRA to determine an appropriate configuration that represents an acceptable level of risk. Such a broad scope application 26

would require a detailed PRA model that is capable of evaluating the risk associated with specific plant configurations. Since the configuration-specific risk could be affected by any of the elements of the model, this requires that the model has to be of relatively high quality.

There are, however, some applications that, because of the nature of the proposed change, have a limited impact on risk, and this is reflected in the impact on the elements of the risk model.

Another example is risk-informed inservice inspection (RI-ISI). In this application, risk significance was used as one criterion for selecting pipe segments to be periodically examined for cracking. During the staff review it became clear that a high level of emphasis on PRA technical acceptability was not necessary. Therefore, the staff review of plant-specific RI-ISI typically will include only a limited scope review of PRA technical acceptability.

The scope of implementation of the risk-informed decision will be a function of the confidence the NRC staff has in the results of the analysis. As indicated, one important factor that can be considered when determining the degree of implementation of the change is the ability to monitor the performance to limit the potential risk. In many applications, the potential risk can be limited by defining specific measures and criteria that must be monitored subsequent to approval. When relying on performance monitoring, the staff must have assurance that the measures truly represent the potential for risk increase and that the criteria are set at reasonable limits. Moreover, one must be sure that degrading performance can be detected in a timely fashion, long before a significant public health issue results. The impact of the monitoring can be fed back into the analysis to demonstrate how it supports the decision.

An example of this is the management of steam generator tube degradation. The NRC staff is working with industry to approve licensee use of NEI-97-06, a guidance document for determining what tubes can be left in service and how frequently steam generators need to be inspected. The guidance in NEI-97-06 includes guidance for licensees to perform an operational assessment prior to restart from an outage. Any tubes that exceed certain limits must be repaired or removed from service. The licensee must determine whether the tubes left in service will meet structural strength and leakage criteria at the end of the cycle. If not, the licensee must take compensatory action, such as a mid-cycle inspection. At the end of the cycle, the licensee must perform condition monitoring, in which the actual condition is examined to determine whether the actual performance met the criteria. Any unfavorable deviation of the actual tube behavior from the predicted performance must be accounted for in subsequent operational assessment.

In this example, performance monitoring (condition monitoring) is relied upon to assure that any deviations from acceptance criteria are detected promptly. Moreover, the results are used to improve the analysis techniques to limit potential deviations in future cycles.

The NRC review of an application will take all these factors into consideration. The review of PRA technical acceptability in particular will focus on those aspects that impact the results used in the decision and on the degree of confidence required in those results.

A limited application would lead the staff to conduct a more limited review of the risk estimates, and therefore to place less emphasis on the technical acceptability of the PRA than would be the case for a broad-scope application.

27

Finally, when implementing a decision, the licensee may choose to compensate for lack of confidence in the analysis by restricting the degree of implementation. This has been the technique used in several applications involving SSC categorization into low or high safety significance. In general, unless there is compelling evidence that the SSC is low safety significance, it is maintained as high safety significant. This requires a reasonable understanding of the limitations of the PRA. Another example of risk limitation is the placing of restrictions on the application. For example, risk-informed technical specification allowed outage time changes are accompanied by implementation of a configuration risk management program, which requires licensees to examine their plant configuration before voluntarily entering the approved condition.

In Section 2.2.4, it was indicated that the application would be given increased NRC management attention when the calculated values of the changes in the risk metrics, and their baseline values when appropriate, approached the guidelines. Therefore, the issues in the submittal expected to be addressed include:

 The cumulative impact of previous changes and the trend in CDF (the licensees risk management approach);

 The cumulative impact of previous changes and the trend in LERF (the licensees risk management approach);

 The impact of the proposed change on operational complexity, burden on the operating staff, and overall safety practices;

 Plant-specific performance and other factors (for example, siting factors, inspection findings, performance indicators, and operational events), and Level 3 PRA information, if available;

 The benefit of the change in relation to its CDF/LERF increase;

 The practicality of accomplishing the change with a smaller CDF/LERF impact; and

 The practicality of reducing CDF/LERF when there is reason to believe that the baseline CDF/LERF are above the guideline values (i.e., 10-4 and 10-5 per reactor year).

2.3 ELEMENT 3: DEFINE IMPLEMENTATION AND MONITORING PROGRAM Careful consideration should be given to implementation and performance-monitoring strategies. The primary goal for this element is to ensure that no adverse safety degradation occurs because of the changes to the LB. The staffs principal concern is the possibility that the aggregate impact of changes that affect a large class of SSCs could lead to an unacceptable increase in the number of failures from unanticipated degradation, including possible increases in common cause mechanisms. Therefore, an implementation and monitoring plan should be developed to ensure that the engineering evaluation conducted to examine the impact of the proposed changes continues to reflect the actual reliability and availability of SSCs that have been evaluated. This will ensure that the conclusions that have been drawn from the evaluation remain valid. Further details of acceptable processes for implementation in specific applications are discussed in application-specific regulatory guides (Refs. 6-9).

28

Decisions concerning the implementation of changes should be made in light of the uncertainty associated with the results of the traditional and probabilistic engineering evaluations. Broad implementation within a limited time period may be justified when uncertainty is shown to be low (data and models are adequate, engineering evaluations are verified and validated, etc.), whereas a slower, phased approach to implementation (or other modes of partial implementation) would be expected when uncertainty in evaluation findings is higher and where programmatic changes are being made that could impact SSCs across a wide spectrum of the plant, such as in inservice testing, inservice inspection, and graded quality assurance (IST, ISI, and graded QA). In such situations, the potential introduction of common cause effects must be fully considered and included in the submittal.

The staff expects licensees to propose monitoring programs that include a means to adequately track the performance of equipment that, when degraded, can affect the conclusions of the licensees engineering evaluation and integrated decisionmaking that support the change to the LB. The program should be capable of trending equipment performance after a change has been implemented to demonstrate that performance is consistent with that assumed in the traditional engineering and probabilistic analyses that were conducted to justify the change. This may include monitoring associated with non-safety-related SSCs if the analysis determines those SSCs to be risk significant. The program should be structured such that (1) SSCs are monitored commensurate with their safety importance, i.e., monitoring for SSCs categorized as having low safety significance may be less rigorous than that for SSCs of high safety significance, (2) feedback of information and corrective actions is accomplished in a timely manner, and (3) degradation in SSC performance is detected and corrected before plant safety can be compromised. The potential impact of observed SSC degradation on similar components in different systems throughout the plant should be considered.

The staff expects that licensees will integrate, or at least coordinate, their monitoring for risk-informed changes with existing programs for monitoring equipment performance and other operating experience on their site and throughout the industry. In particular, monitoring that is performed in conformance with the Maintenance Rule (10 CFR 50.65) can be used when the monitoring performed under the Maintenance Rule is sufficient for the SSCs affected by the risk-informed application. If an application requires monitoring of SSCs that are not included in the Maintenance Rule, or has a greater resolution of monitoring than the Maintenance Rule (component vs. train or plant-level monitoring), it may be advantageous for a licensee to adjust the Maintenance Rule monitoring program rather than to develop additional monitoring programs for risk-informed purposes. In these cases, the performance criteria chosen should be shown to be appropriate for the application in question. It should be noted that plant or licensee performance under actual design conditions may not be readily measurable. When actual conditions cannot be monitored or measured, whatever information most closely approximates actual performance data should be used. For example, establishing a monitoring program with a performance-based feedback approach may combine some of the following activities.

 Monitoring performance characteristics under actual design basis conditions (e.g.,

reviewing actual demands on emergency diesel generators, reviewing operating experience) 29

 Monitoring performance characteristics under test conditions that are similar to those expected during a design basis event

 Monitoring and trending performance characteristics to verify aspects of the underlying analyses, research, or bases for a requirement (e.g., measuring battery voltage and specific gravity, inservice inspection of piping)

 Evaluating licensee performance during training scenarios (e.g., emergency planning exercises, operator licensing examinations)

 Component quality controls, including developing pre- and post-component installation evaluations (e.g., environmental qualification inspections, reactor protection system channel checks, continuity testing of boiling water reactor squib valves).

As part of the monitoring program, it is important that provisions for specific cause determination, trending of degradation and failures, and corrective actions be included.

Such provisions should be applied to SSCs commensurate with their importance to safety as determined by the engineering evaluation that supports the LB change. A determination of cause is needed when performance expectations are not being met or when there is a functional failure of an application-specific SSC that poses a significant condition adverse to performance. The cause determination should identify the cause of the failure or degraded performance to the extent that corrective action can be identified that would preclude the problem or ensure that it is anticipated prior to becoming a safety concern. It should address failure significance, the circumstances surrounding the failure or degraded performance, the characteristics of the failure, and whether the failure is isolated or has generic or common cause implications (as defined in Ref. 14).

Finally, in accordance with Criterion XVI of Appendix B to 10 CFR Part 50, the monitoring program should identify any corrective actions to preclude the recurrence of unacceptable failures or degraded performance. The circumstances surrounding the failure may indicate that the SSC failed because of adverse or harsh operating conditions (e.g., operating a valve dry, over-pressurization of a system) or failure of another component that caused the SSC failure. Therefore, corrective actions should also consider SSCs with similar characteristics with regard to operating, design, or maintenance conditions. The results of the monitoring need not be reported to the NRC, but should be retained onsite for inspection.

2.4 ELEMENT 4: SUBMIT PROPOSED CHANGE Requests for proposed changes to the plants LB typically take the form of requests for license amendments (including changes to or removal of license conditions), technical specification changes, changes to or withdrawals of orders, and changes to programs pursuant to 10 CFR 50.54 (e.g., QA program changes under 10 CFR 50.54(a)).

Licensees should (1) carefully review the proposed LB change in order to determine the appropriate form of the change request, (2) ensure that information required by the relevant regulations in support of the request is developed, and (3) prepare and submit the request in accordance with relevant procedural requirements. For example, license amendments should meet the requirements of 10 CFR 50.90, 50.91, and 50.92, as well as the procedural requirements in 10 CFR 50.4. Risk information that the licensee submits in 30

support of the LB change request should meet the guidance in Section 3 of this regulatory guide.

Licensees are free to decide whether to submit risk information in support of their LB change request. If the licensees proposed change to the LB is consistent with currently approved staff positions, the staffs determination generally will be based solely on traditional engineering analyses without recourse to risk information (although the staff may consider any risk information submitted by the licensee). If the licensees proposed change goes beyond currently approved staff positions, the staff normally will consider both information based on traditional engineering analyses and information based on risk insights. If the licensee does not submit risk information in support of an LB change that goes beyond currently approved staff positions, the staff may request the licensee to submit such information. If the licensee chooses not to provide the risk information, the staff will review the proposed application using traditional engineering analyses and determine whether sufficient information has been provided to support the requested change. However, if new information reveals an unforeseen hazard or a substantially greater potential for a known hazard to occur, such as the identification of an issue related to the requested LB change that may substantially increase risk (see Ref. 3), the NRC staff will request the licensee to submit risk-related information. The NRC staff will not approve the requested LB change until it has reasonable assurance that the public health and safety will be adequately protected if the requested LB change is approved.

In developing the risk information set forth in this regulatory guide, licensees will likely identify SSCs with high risk significance that are not currently subject to regulatory requirements or are subject to a level of regulation that is not commensurate with their risk significance. It is expected that licensees will propose LB changes that will subject these SSCs to an appropriate level of regulatory oversight, consistent with the risk significance of each SSC. Specific information on the staffs expectations in this regard is set forth in the application-specific regulatory guides (Refs. 6-9).

2.5 QUALITY ASSURANCE As stated in Section 2.2, the staff expects that the quality of the engineering analyses conducted to justify proposed LB changes will be appropriate for the nature of the change. In this regard, it is expected that for traditional engineering analyses (e.g.,

deterministic engineering calculations) existing provisions for quality assurance (e.g.,

Appendix B to 10 CFR Part 50, for safety-related SSCs) will apply and provide the appropriate quality needed. Likewise, when a risk assessment of the plant is used to provide insights into the decisionmaking process, the staff expects that the PRA will have been subject to quality control.

To the extent that a licensee elects to use PRA information to enhance or modify activities affecting the safety-related functions of SSCs, the following, in conjunction with the other guidance contained in this guide, describes methods acceptable to the NRC staff to ensure that the pertinent quality assurance requirements of Appendix B to 10 CFR Part 50 are met and that the PRA is of sufficient quality to be used for regulatory decisions.

 Use personnel qualified for the analysis.

 Use procedures that ensure control of documentation, including revisions, and provide for independent review, verification, or checking of calculations and 31

information used in the analyses (an independent peer review or certification program can be used as an important element in this process).

 Provide documentation and maintain records in accordance with the guidelines in Section 3 of this guide.

 Use procedures that ensure appropriate attention and corrective actions are taken if assumptions, analyses, or information used in previous decisionmaking is changed (e.g., licensee voluntary action) or determined to be in error.

When performance monitoring programs are used in the implementation of proposed changes to the LB, it is expected that those programs will be implemented by using quality assurance provisions commensurate with the safety significance of affected SSCs. An existing PRA or analysis can be utilized to support a proposed LB change, provided it can be shown that the appropriate quality provisions have been met.

3. DOCUMENTATION 3.1 Introduction To facilitate the NRC staffs review to ensure that the analyses conducted were sufficient to conclude that the key principles of risk-informed regulation have been met, documentation of the evaluation process and findings are expected to be maintained.

Additionally, the information submitted should include a description of the process used by the licensee to ensure quality its adequacy and some specific information to support the staffs conclusion regarding the acceptability of the requested LB change.

3.2 Archival Documentation Archival documentation should include a detailed description of engineering analyses conducted and the results obtained, irrespective of whether they were quantitative or qualitative, or whether the analyses made use of traditional engineering methods or probabilistic approaches. This documentation should be maintained by the licensee, as part of the normal quality assurance program, so that it is available for examination. Documentation of the analyses conducted to support changes to a plants LB should be maintained as lifetime quality records in accordance with Regulatory Guide 1.33 (Ref. 15).

3.3 Licensee Submittal Documentation To support the NRC staffs conclusion that the proposed LB change is consistent with the key principles of risk-informed regulation and NRC staff expectations, the staff expects the following information will be submitted to the NRC:

 A description of how the proposed change will impact the LB (relevant principle: LB changes meet regulations).

 A description of the components and systems affected by the change, the types of changes proposed, the reason for the changes, and results and insights from an analysis of available data on equipment performance (relevant staff expectation: all safety impacts of the proposed LB change must be evaluated).

32

 A reevaluation of the LB accident analysis and the provisions of 10 CFR Parts 20 and 100, if appropriate (relevant principles: LB changes meet the regulations, sufficient safety margins are maintained, defense-in-depth philosophy).

 An evaluation of the impact of the LB change on the breadth or depth of defense-in-depth attributes of the plant (relevant principle: defense-in-depth philosophy).

 Identification of how and where the proposed change will be documented as part of the plants LB (e.g., FSAR, technical specifications, licensing conditions). This should include proposed changes or enhancements to the regulatory controls for high-risk-significant SSCs that are not subject to any requirements or the requirements are not commensurate with the SSCs risk significance.

The licensee should also identify:

 Key assumptions in the PRA that impact the application (e.g., voluntary licensee actions), elements of the monitoring program, and commitments made to support the application.

 SSCs for which requirements should be increased.

 The information to be provided as part of the plants LB (e.g., FSAR, technical specifications, licensing condition).

 Whether provisions of Appendix B to 10 CFR Part 50 apply to the PRA. This comes into play if the PRA forms part of the basis used to enhance or modify safety-related functions of SSCs subject to those provisions. Thus, the licensee would be expected to control PRA activity in a manner commensurate with its impact on the facilitys design and licensing basis and in accordance with all applicable regulations and its QA program description.

An independent peer review can be an important element of ensuring technical acceptability this quality. The licensees submittal should discuss measures used to ensure it adequate quality, such as a report of a peer review (when performed) that addresses the appropriateness of the PRA model for supporting a risk assessment of the LB change under consideration. The report should address any analysis limitations that are expected to impact the conclusion regarding acceptability of the proposed change.

The licensees resolution of the findings of the peer review, certification, or cross comparison, when performed, should also be submitted. For example, this response could indicate whether the PRA was modified or could justify why no change was necessary to support decisionmaking for the LB change under consideration. As discussed in Section 2.2.2, the staffs decision on the proposed license amendment will be based on its independent judgment and review, as appropriate, of the entire application.

3.3.1 Risk Assessment Methods In order to have confidence that the risk assessment conducted is adequate to support the proposed change, a summary of the risk assessment methods used should be submitted. Consistent with current practice, information submitted to the NRC for its 33

consideration in making risk-informed regulatory decisions will be made publicly available, unless such information is deemed proprietary and justified as such. The following information should be submitted and is intended to illustrate that the scope, level of detail, and technical acceptability of the engineering analyses conducted to justify the proposed LB change are appropriate to the nature and scope of the change:

 A description of risk assessment methods used,

 The key modeling assumptions that are necessary to support the analysis or that impact the application,

 The event trees and fault trees necessary to support the analysis of the LB change, and

 A list of operator actions modeled in the PRA that impact the application and their error probabilities.

The submitted information that summarizes the results of the risk assessment should include:

 The effects of the change on the dominant sequences (sequences that contribute more than five percent to the risk) in order to show that the LB change does not create risk outliers and does not exacerbate existing risk outliers.

 An assessment of the change to CDF and LERF, including a description of the significant contributors to the change.

 Information related to assessment of the total plant CDFthe extent of the information required will depend on whether the analysis of the change in CDF is in Region II or Region III of Figure 3. The information could include quantitative (e.g.,

IPE or PRA results for internal initiating events, external event PRA results if available) and qualitative or semi-quantitative information (results of margins analyses, outage configuration studies).

 Information related to assessment of total plant LERFthe extent of the information required will depend on whether the analysis of the change in LERF is in Region II or Region III of Figure 4. The information could include quantitative (e.g., IPE or PRA results for internal initiating events, external event PRA results if available) and qualitative or semi-quantitative information (results of margins analyses, outage configuration studies).

 Results of analyses that show that the conclusions regarding the impact of the LB change on plant risk will not vary significantly under a different set of plausible assumptions.

 A description of the licensee process to ensure PRA quality technical acceptability and a discussion as to why the PRA is of sufficient quality to support the current application.

34

3.3.2 Cumulative Risks As part of evaluation of risk, licensees should understand the effects of the present application in light of past applications. Optimally, the PRA used for the current application should already model the effects of past applications. However, qualitative effects and synergistic effects are sometimes difficult to model. Tracking changes in risk (both quantifiable and nonquantifiable) that are due to plant changes would provide a mechanism to account for the cumulative and synergistic effects of these plant changes and would help to demonstrate that the proposing licensee has a risk management philosophy in which PRA is not just used to systematically increase risk, but is also used to help reduce risk where appropriate and where it is shown to be cost effective. The tracking of cumulative risk will also help the NRC staff in monitoring trends.

Therefore, as part of the submittal, the licensee should track and submit the impact of all plant changes that have been submitted for NRC review and approval.

Documentation should include:

 The calculated change in risk for each application (CDF and LERF) and the plant elements (e.g., SSCs, procedures) affected by each change,

 Qualitative arguments that were used to justify the change (if any) and the plant elements affected by these arguments;

 Compensatory measures or other commitments used to help justify the change (if any) and the plant elements affected, and

 Summarized results from the monitoring programs (where applicable) and a discussion of how these results have been factored into the PRA or into the current application.

As an option, the submittal could also list (but not submit to the NRC) past changes to the plant that reduced the plant risk, especially those changes that are related to the current application. A discussion of whether these changes are already included in the base PRA model should also be included.

3.4 Implementation Plan and Performance Monitoring Documentation As described in Section 2.3, a key principle of risk-informed regulation is that proposed performance implementation and monitoring strategies reflect uncertainties in analysis models and data. Consequently, the submittal should include a description and rationale for the implementation and performance monitoring strategy for the proposed LB change.

35

REFERENCES

1. USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," Federal Register, Vol. 60, p. 42622 (60 FR 42622), August 16, 1995.

2. USNRC, Risk-Informed Regulation Implementation Plan, SECY-00-0213, October 16, 2000; updated December 5, 2001 (SECY-01-0218)1

3. USNRC, "Use of Probabilistic Risk Assessment in Plant-Specific, Risk-Informed Decisionmaking: General Guidance," Draft Revision 1 of Chapter 19 of the Standard Review Plan, NUREG-0800, June 2001.2

4. USNRC, Addressing PRA Quality in Risk-Informed Activities, SECY-00-0162, July 28, 2000.1

5. USNRC, "Safety Goals for the Operations of Nuclear Power Plants; Policy Statement," Federal Register, Vol. 51, p. 30028 (51 FR 30028), August 4, 1986.

6. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Inservice Testing," Regulatory Guide 1.175, August 1998.2

7. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Graded Quality Assurance," Regulatory Guide 1.176, August 1998.2

8. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications," Regulatory Guide 1.177, August 1998.2

9. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Inservice Inspection of Piping," Regulatory Guide 1.178, September 1998.2

10. W.T. Pratt et al., "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," NUREG/CR-6595, January 1999.3 1

USNRC SECY papers are available electronically on the NRCs web page at <www.nrc.gov> under Commissions Activities.

2 Single copies of regulatory guides, both active and draft, and draft NUREG documents may be obtained free of charge by writing the Reproduction and Distribution Services Section, OCIO, USNRC, Washington, DC 20555-0001, or by fax to (301)415-2289, or by email to <DISTRIBUTION@NRC.GOV>. Active guides may also be purchased from the National Technical Information Service on a standing order basis. Details on this service may be obtained by writing NTIS, 5285 Port Royal Road, Springfield, VA 22161; telephone (703)487-4650; online

<http://www.ntis.gov/ordernow>. Copies of active and draft guides are available for inspection or copying for a fee from the NRC Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDRs mailing address is USNRC PDR, Washington, DC 20555; telephone (301)4154737 or (800)397-4209; fax (301)415-3548; email

<PDR@NRC.GOV>.

3 Copies are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)512-1800); or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161; (telephone (703)487-4650; <http://www.ntis.gov/ordernow>. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDRs mailing address is USNRC PDR, Washington, DC 20555; telephone (301)415-4737 or (800)397-4209; fax (301)415-3548; email is PDR@NRC.GOV.

36

11. Letter to Samuel J. Collins, NRC, from Ralph E. Beedle, NEI, April 24, 2000, with attached "Probabilistic Risk Analysis (PRA) Peer Review Guidance," Rev. A3, NEI 00-02, Prepared for NEI Risk-Based Applications Task Force by WOG/Westinghouse Electric Co., and B&WOG/Framatome Technologies, Inc.4

12. USNRC, "Rulemaking Plan for Risk-Informing Special Treatment Requirements,"

SECY-99-256, October 29, 1999.1

13. G. Apostolakis and S. Kaplan, "Pitfalls in Risk Calculations," Reliability Engineering, Vol. 2, pages 135-145, 1981.

14. A. Mosleh et al., "Procedures for Treating Common Cause Failures in Safety and Reliability Studies," NUREG/CR-4780, Vol. 2, January 1989.3

15. USNRC, "Quality Assurance Program Requirements," Regulatory Guide 1.33, Revision 2, February 1978.2 4

Copies are available for inspection or copying for a fee from the NRC Public Document Room at 11555 Rockville Pike (first floor), Rockville, MD; the PDRs mailing address is USNRC PDR, Washington, DC 20555; telephone (301)415-4737 or 1-(800)397-4209; fax (301)415-3548; e-mail <PDR@NRC.GOV>. Copies are available electronically on the NRCs web site at <www.nrc.goc> under the Commissions Activities.

37

BIBLIOGRAPHY Apostolakis, G.A., "Probability and Risk Assessment: The Subjectivist Viewpoint and Some Suggestions," Nuclear Safety, 19(3), pages 305-315, 1978.

Bohn, M.P., T.A. Wheeler, G.W. Parry, "Approaches to Uncertainty Analysis in Probabilistic Risk Assessment," NUREG/CR-4836, USNRC, January 1988.1 Hickman, J.W., "PRA Procedures Guide," NUREG/CR-2300, USNRC, January 1983.1 Kaplan, S., and B.J. Garrick, "On the Quantitative Definition of Risk," Risk Analysis, Vol. 1, pages 11-28, March 1981.

Mosleh, A., et al., "Proceedings of Workshop I in Advanced Topics in Risk and Reliability Analysis, Model Uncertainty: Its Characterization and Quantification" (held in Annapolis, Maryland, October 20-22, 1993), USNRC, NUREG/CP-0138, October 1994.1 Parry, G.W., and P.W. Winter, "Characterization and Evaluation of Uncertainty in Probabilistic Risk Analysis," Nuclear Safety, 22(1), pages 28-42, 1981.

Reliability Engineering and System Safety (Special Issue on the Meaning of Probability in Probabilistic Safety Assessment), Vol. 23, 1988.

Reliability Engineering and System Safety (Special Issue on Treatment of Aleatory and Epistemic Uncertainty), Vol. 54, nos. 2 and 3, November/December 1996.

USNRC, "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,"

NUREG-1150, Vol. 3, January 1991.1 USNRC, "A Review of NRC Staff Uses of Probabilistic Risk Assessment," NUREG-1489, Appendix C.6, March 1994.1 1

Copies are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)512-1800); or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161; (telephone (703)487-4650; <http://www.ntis.gov/ordernow>. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDRs mailing address is USNRC PDR, Washington, DC 20555; telephone (301)415-4737 or (800)397-4209; fax (301)415-3548; email is PDR@NRC.GOV.

38

APPENDIX A PRA Characteristics and Attributes A.1 INTRODUCTION In any regulatory decision, the goal is to make a sound safety decision based on technically defensible information. Therefore, for a regulatory decision relying upon risk insights as one source of information, there needs to be confidence in the PRA results from which the insights are derived. Consequently, the PRA needs to have the requisite scope, level of detail, and technical acceptability to give an appropriate level of confidence in the results used in the regulatory decisionmaking. It is recognized that these aspects can vary depending on the specific decision under consideration.

Although the minimum technical elements needed to ensure a PRA acceptable to the staff are defined herein they do not, by themselves, ensure confidence in PRA results.

This confidence may be gained, however, via the definition and proper use of supporting technical requirements.

For example, in the Level 1 technical element of systems analysis, one functional attribute is that the model is developed in sufficient detail to capture the impact of dependencies. To ensure that the intent of this attribute is met, it is necessary to understand the dependencies that could impact the availability and operability of the system and components under consideration. However, what the dependencies are and how they support a specific system or component are not always evident. Dependencies such as the need for DC power for the Reactor Core Isolation Cooling (RCIC) system (in a BWR) are evident. However, for continued operation of RCIC, there is also a need for suppression pool cooling. The steam from the RCIC turbine exhausts to the suppression pool, and loss of cooling to the pool can cause the RCIC turbine to trip on high exhaust pressure. This type of dependency is not as evident. Consequently, to ensure that the PRA has properly accounted for the impact of dependencies, supporting technical requirements interpreting this functional requirement (and the others) are needed. In this example, the supporting requirements may specify the types of dependencies (e.g.,

motive and control power, design and operational conditions) that need to be considered in looking at the availability and operability of a particular type of component (e.g., turbine-driven pump).

Consensus PRA standards can be used to define these technical requirements, and an industry peer review program can provide an assessment of the PRAs weaknesses. The staff expects that these standards will be endorsed by NRC.

A.2 PRA CHARACTERISTICS AND ATTRIBUTES Tables A-1 and A-2 provide a summary of the PRA characteristics and attributes acceptable to the staff.

39

Table A-1 Summary of Characteristics and Attributes of an Acceptable PRA Element Desired Characteristics and Attributes PRA Full Power, Low Power, and Shutdown Level 1 PRA (internal events -- transients and loss of coolant accidents (LOCAs))

Initiating

• sufficiently detailed identification and characterization of Event initiators Analysis

• grouping of individual events according to plant response and mitigating requirements

• proper screening of any individual or grouped initiating events Success

• based on best-estimate engineering analyses applicable Criteria to the actual plant design and operation Analysis

• codes developed, validated, and verified in sufficient detail

- analyze the phenomena of interest

- be applicable in the pressure, temperature, and flow range of interest Accident

• defined in terms of hardware, operator action, and timing Sequence requirements and desired end states (e.g., core damage Development or plant damage states)

Analysis

• includes necessary and sufficient equipment (safety and non-safety) reasonably expected to be used to mitigate initiators

• includes functional, phenomenological, and operational dependencies and interfaces Systems models developed in sufficient detail to:

Analysis

• reflect the as-built, as-operated plant, including how it has performed during the plant history

• reflect the required success criteria for the systems to mitigate each identified accident sequence

• capture the impact of dependencies, including support systems and harsh environmental impacts

• include both active and passive components and failure modes that impact the function of the system

• include common cause failures, human errors, unavailability due to test and maintenance, etc.

Parameter

• estimation of parameters associated with initiating event, Estimation basic event probability models, recovery actions, and Analysis unavailability events that account for plant-specific and generic data

• consistent with component boundaries

• estimation includes a characterization of the uncertainty 40

Table A-1 Summary of Characteristics and Attributes of an Acceptable PRA Element Desired Characteristics and Attributes Human

• identification and definition of the human failure events Reliability that would result in initiating events or pre- and post-Analysis accident events that would impact the mitigation of initiating events

• quantification of the associated human error probabilities, taking into account scenario- (where applicable) and plant-specific factors and including appropriate dependencies both pre- and post- accident Quantification

• estimation of the CDF for modeled sequences that are not screened due to truncation, given as a mean value

• estimation of the accident sequences CDFs for each initiating event group

• truncation values set relative to the total plant CDF such that the frequency is not significantly impacted Interpretation

• identification of the key contributors to CDF: initiating of Results events, accident sequences, equipment failures, and Analysis human errors

• identification of sources of uncertainty and their impact on the results

• understanding of the impact of the key assumptions* on the CDF and the identification of the accident sequence and their contributors Level 2 PRA Plant Damage

• identification of the attributes of the core damage State Analysis scenarios that influence severe accident progression, containment performance, and any subsequent radionuclide releases

• grouping of core damage scenarios with similar attributes into plant damage states

• carryover of relevant information from Level 1 to Level 2 41

Table A-1 Summary of Characteristics and Attributes of an Acceptable PRA Element Desired Characteristics and Attributes Severe

• use of verified, validated codes by qualified trained users Accident with an understanding of the code limitations and the Progression means for addressing the limitations Analysis

• assessment of the credible severe accident phenomena via a structured process

• assessment of containment system performance, including linkage with failure modes on non-containment systems

• establishment of the capacity of the containment to withstand severe accident environments

• assessment of accident progression timing, including timing of loss of containment failure integrity Quantification

• estimation of the frequency of different containment failure modes and resulting radionuclide source terms Source Term

• assessment of radionuclide releases, including Analysis appreciation of timing, location, amount and form of release

• grouping of radionuclide releases into smaller subset of representative source terms with emphasis on large early release (LER) and on large late release (LLR)

Interpretation

• identification of the contributors to containment failure of Results and resulting source terms Analysis

• identification of sources of uncertainty and their impact on the results

• understanding of the impact of the key assumptions* on Level 2 results Documentation Traceability

• the documentation is sufficient to facilitate independent and peer reviews defensibility

• the documentation describes all the important interim and final results, insights, and important sources of uncertainties

• walkdown process and results are fully described

• Assumptions include those decisions and judgments that were made in the course of the analysis.

In addressing the above elements, because of the nature and impact of internal flood and fire and external hazards, their attributes need to be discussed separately. This is 42

because flood, fire, and external hazards analyses have the ability to cause initiating events but also have the capability to impact the availability of mitigating systems.

Therefore, in developing the PRA model, the impact of flood, fire, and external hazards needs to be considered in each of the above technical elements. Table A-2 provides a summary of the desired attributes of an acceptable internal flood, fire and external hazards analysis.

Table A-2 Summary of Characteristics and Attributes of an Acceptable Internal Flood and Fire Analysis and External Hazards Analysis Areas of Desired Characteristics and Attributes*

Analysis Internal Flood Analysis Flood

• sufficiently detailed identification and characterization of:

Identification - flood areas and SSCs located within each area Analysis - flood sources and flood mechanisms

- type of water release and capacity

- structures functioning as drains and sumps

• verification of the information through plant walkdowns Flood

• identification and evaluation of Evaluation - flood propagation paths Analysis - flood-mitigating plant design features and operator actions

- susceptibility of SSCs in each flood area to the different types of floods

• elimination of flood scenarios uses well defined and justified screening criteria Quantification

• identification of flooding-induced initiating events on the basis of a structured and systematic process

• estimation of flooding-initiating event frequencies

• estimation of CDF for chosen flood scenarios

• modification of the Level 1 models to account for flooding effects, including uncertainties Internal Fire Analysis Fire Area

• all potentially risk-significant fire areas are identified and Identification addressed and Screening

• all required mitigating components and their cables in Analysis each fire area are identified

• screening criteria are defined and justified

• necessary walkdowns are performed to confirm the screening decisions

• screening process and results are documented

• unscreened events areas are subjected to appropriate level of evaluations (including detailed fire PRA evaluations as described below) as needed 43

Table A-2 Summary of Characteristics and Attributes of an Acceptable Internal Flood and Fire Analysis and External Hazards Analysis Areas of Desired Characteristics and Attributes*

Analysis Fire Initiation

• all potentially significant fire scenarios in each Analysis unscreened area are addressed

• fire scenario frequencies reflect plant-specific features

• fire scenario physical characteristics are defined

• bases are provided for screening fire initiators Fire Growth

• damage to all potentially significant components is and Damage addressed; considers all potential component failure Analysis modes

• all potentially significant damage mechanisms are identified and addressed; damage criteria are specified

• analysis addresses scenario-specific factors affecting fire growth, suppression, and component damage

• models and data are consistent with experience from actual fire experience as well as experiments

• includes evaluation of propagation of fire and fire effects (e.g., smoke) between fire compartments Plant

• all potentially significant fire-induced initiating events are Response addressed; the bases for the fire-induced initiating events Analysis are included in the model

• includes fire scenario impacts on core damage mitigation and containment systems, including fire-induced failures

• analysis reflects plant-specific safe shutdown strategy

• potential circuit interactions that can interfere with safe shutdown are addressed

• human reliability analysis addresses effect of fire scenario-specific conditions on operator performance Quantification

• estimation of CDF for chosen fire scenarios

• identification of sources of uncertainty and their impact on the results

• understanding of the impact of the key assumptions** on the CDF

• all fire risk-significant sequences are traceable and reproducible External Hazards Analysis 44

Table A-2 Summary of Characteristics and Attributes of an Acceptable Internal Flood and Fire Analysis and External Hazards Analysis Areas of Desired Characteristics and Attributes*

Analysis Screening and

• credible external events (natural and man-made) that Bounding may affect the site are addressed Analysis

• screening and bounding criteria are defined and results are documented

• necessary walkdowns are performed

• non-screened events are subjected to appropriate level of evaluations Hazard

• the hazard analysis is site- and plant-specific Analysis

• the hazard analysis addresses uncertainties Fragility

• fragility estimates are plant-specific for important SSCs Analysis

• walkdowns are conducted to identify plant-unique conditions, failure modes, and as-built conditions.

Level 1 Model

• important external-event-caused initiating events that can Modification lead to core damage and large early release are included

• external-event-related unique failures and failure modes are incorporated

• equipment failures from other causes and human errors are included. When necessary, human error data is modified to reflect unique circumstances related to the external event under consideration

• unique aspects of common causes, correlations, and dependencies are included

• the systems model reflects as-built, as-operated plant conditions

• the integration/quantification accounts for the uncertainties in each of the inputs (i.e., hazard, fragility, system modeling) and final quantitative results such as CDF and LERF

• the integration/quantification accounts for all dependencies and correlations that affect the results

• Documentation also applies to flood, fire and external hazards.

• • Assumptions include those decisions and judgments that were made in the course of the analysis.

Additional descriptions of the characteristics and attributes in Tables A-1 and A-2 follow.

Level 1 PRA (Internal Events)

Initiating event analysis identifies and characterizes those random internal events that both challenge normal plant operation during power or shutdown conditions and require successful mitigation by plant equipment and personnel to prevent core damage from 45

occurring. Events that have occurred at the plant and those that have a reasonable probability of occurring are identified and characterized. An understanding of the nature of the events is performed such that a grouping of the events into event classes, with the classes defined by similarity of system and plant responses (based on the success criteria), may be performed to manage the large number of potential events that can challenge the plant.

Success criteria analysis determines the minimum requirements for each function (and ultimately the systems used to perform the functions) needed to prevent core damage (or to mitigate a release) if an initiating event occurs. The requirements defining the success criteria are based on acceptable engineering analyses that represent the design and operation of the plant under consideration. The criteria needed for a function to be successful are dependent on the initiator and the conditions created by the initiator. The code(s) used to perform the analyses for developing the success criteria are validated and verified for both technical integrity and suitability to assess plant conditions for the reactor pressure, temperature, and flow range of interest, and to accurately analyze the phenomena of interest. Calculations are performed by personnel qualified to perform the types of analyses of interest and are well trained in the use of the code(s).

Accident sequence development analysis models, chronologically, the different possible progression of events (i.e., accident sequences) that can occur from the start of the initiating event to either successful mitigation or to core damage. The accident sequences account for those systems and operator actions that are used (and available) to mitigate the initiator based on the defined success criteria and plant operating procedures (e.g.,

plant emergency and abnormal operating procedures and as practiced in simulator exercises). The availability of a system includes consideration of the functional, phenomenological, and operational dependencies and interfaces among the different systems and operator actions during the course of the accident progression.

Systems analysis identifies the different combinations of failures that can preclude the ability of the system to perform its function as defined by the success criteria. The model representing the various failure combinations includes, from an as-built and as-operated perspective, the system hardware and instrumentation (and their associated failure modes) and the human failure events that would prevent the system from performing its defined function. The basic events representing equipment and human failures are developed in sufficient detail in the model to account for dependencies among the different systems, as well as to distinguish the specific equipment or human event (and its failure mechanism) that has a major impact on the systems ability to perform its function.

Parameter estimation analysis quantifies the frequencies of the identified initiators and quantifies the equipment failure probabilities and equipment unavailabilities of the modeled systems. The estimation process includes a mechanism for addressing uncertainties, has the ability to combine different sources of data in a coherent manner, and represents the actual operating history and experience of the plant and applicable generic experience as applicable.

Human reliability analysis identifies and provides probabilities for the human failure events that can negatively impact normal or emergency plant operations. The human failure events associated with normal plant operation include those events that leave the system (as defined by the success criteria) in an unrevealed, unavailable state. The human 46

failure events associated with emergency plant operation include those events that, if not performed, do not allow the needed system to function. Quantification of the probabilities of these human failure events is based on plant- and accident-specific conditions, where applicable, including any dependencies among actions and conditions.

Quantification provides an estimation of the CDF given the design, operation, and maintenance of the plant. This CDF is based on the summation of the estimated CDF from each initiator class. If truncation of accident sequences and cutsets is applied, truncation limits are set so that the overall model results are not impacted significantly and that important accident sequences are not eliminated. Therefore, the truncation limit can vary for each accident sequence. Consequently, the truncation value is selected so that the accident sequence CDF before and after truncation only differs by less than one significant figure.

Interpretation of results entails examining and understanding the results of the PRA and identifying the important contributors sorted by initiating events, accident sequences, equipment failures, and human errors. Methods such as importance measure calculations (e.g., Fussell-Vesely, risk achievement, risk reduction, and Birnbaum) are used to identify the contributions of various events to the model estimation of core damage frequency for both individual sequences and the model as a total. Sources of uncertainty are identified and their impact on the results analyzed. The sensitivity of the model results to model boundary conditions and other key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations. The combinations analyzed are chosen to fully account for interactions among the variables.

Level 2 PRA (Containment Response)

Plant damage state analysis groups similar core damage scenarios together to allow a practical assessment of the severe accident progression and containment response resulting from the full spectrum of core damage accidents identified in the Level 1 analysis. The plant damage state analysis defines the attributes of the core damage scenarios that represent important boundary conditions to the assessment of severe accident progression and containment response that ultimately affect the resulting source term. The attributes address the dependencies between the containment systems modeled in the Level 2 analysis with the core damage accident sequence models to fully account for mutual dependencies. Core damage scenarios with similar attributes are grouped together to allow for efficient evaluation of the Level 2 response.

Severe accident progression analysis models the different series of events that challenge containment integrity for the core damage scenarios represented in the plant damage states. The accident progressions account for interactions among severe accident phenomena and system and human responses to identify credible containment failure modes including failure to isolate the containment. The timing of major accident events and the subsequent loadings produced on the containment are evaluated against the capacity of the containment to withstand the potential challenges. The containment performance during the severe accident is characterized by the timing (e.g., early versus late), size (e.g., catastrophic versus bypass), and location of any containment failures.

The code(s) used to perform the analysis are validated and verified for both technical integrity and suitability. Calculations are performed by personnel qualified to perform the types of analyses of interest and well trained in the use of the code(s).

47

Quantification integrates the accident progression models and source term evaluation to provide estimates of the frequency of radionuclide releases that could be expected following the identified core damage accidents. This quantitative evaluation reflects the different magnitudes and timing of radionuclide releases and specifically allows for identification of the LERF and the probability of a large late release.

Source term analysis characterizes the radiological release to the environment resulting from each severe accident sequence leading to containment failure or bypass. The characterization includes the time, elevation, and energy of the release and the amount, form, and size of the radioactive material that is released to the environment. The source term analysis is sufficient to determine whether a large early release or a large late release occurs. A large early release is one involving significant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects. Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after vessel breach, containment bypass events, and loss of containment isolation. With large late release, significant, unmitigated release from containment occurs in a time frame that allows effective evacuation of the close-in population such that early fatalities are unlikely.

Interpretation of results entails examining results from importance measure calculations (e.g., Fussel-Vesely, risk achievement, risk reduction, and Birnbaum) to identify the contributions of various events to the model estimation of LERF and large late release probability for both individual sequences and the model as a total. Sources of uncertainty are identified and their impact on the results analyzed. The sensitivity of the model results to model boundary conditions and other key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations. The combinations analyzed are chosen to fully account for interactions among the variables.

Internal Floods Flood identification analysis identifies those plant areas where flooding could pose significant risk. Flooding areas are defined on the basis of physical barriers, mitigation features, and propagation pathways. For each flooding area, flood sources that are due to equipment (e.g., piping, valves, pumps) and other sources internal to the plant (e.g.,

tanks) are identified along with the affected SSCs. Flooding mechanisms are examined that include failure modes of components, human-induced mechanisms, and other water releasing events. Flooding types (e.g., leak, rupture, spray) and flood sizes are determined. Plant walkdowns are performed to verify the accuracy of the information.

Flood evaluation analysis identifies the potential flooding scenarios for each flood source by identifying flood propagation paths of water from the flood source to its accumulation point (e.g., pipe and cable penetrations, doors, stairwells, failure of doors or walls). Plant design features or operator actions that have the ability to terminate the flood are identified. Credit given for flood isolation is justified. The susceptibility of each SSC in a flood area to flood-induced mechanisms is examined (e.g., submerge, spray, pipe whip, and jet impingement). Flood scenarios are developed by examining the potential for propagation and giving credit for flood mitigation. Flood scenarios can be eliminated on the basis of screening criteria. The screening criteria used are well defined and justified.

Quantification provides an estimation of the CDF of the plant that is due to internal floods.

The frequency of flooding-induced initiating events that represent the design, operation, 48

and experience of the plant is quantified. The Level 1 models are modified and the internal flood accident sequences quantified: (1) modify accident sequence models to address flooding phenomena, (2) perform necessary calculations to determine success criteria for flooding mitigation, (3) perform parameter estimation analysis to include flooding as a failure mode, (4) perform human reliability analysis to account for performance-shaping factors that are due to flooding, and (5) quantify internal flood accident sequence CDF. Modification of the Level 1 models is performed consistent with the characteristics for Level 1 elements for transients and LOCAs. In addition, sources of uncertainty are identified and their impact on the results analyzed. The sensitivity of the model results to model boundary conditions and other key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations.

The combinations analyzed are chosen to fully account for interactions among the variables.

Internal Fire Screening analysis identifies fire areas where fires could pose a significant risk. Fire areas that are not risk significant can be "screened out" from further consideration in the PRA analysis. Both qualitative and quantitative screening criteria can be used. The former address whether an unsuppressed fire in the area poses a nuclear safety challenge; the latter are compared against a bounding assessment of the fire-induced CDF for the area. The potential for fires involving multiple areas should be addressed.

Assumptions used in the screening analysis should be verified through appropriate plant walkdowns. Key screening analysis assumptions and results, e.g., the area-specific conditional core damage probabilities (assuming fire-induced loss of all equipment in the area), should be documented.

Fire initiation analysis determines the frequency and physical characteristics of the detailed (within-area) fire scenarios analyzed for the unscreened fire areas. The analysis needs to identify a range of scenarios that will be used to represent all possible scenarios in the area. The possibility of seismically induced fires should be considered. The scenario frequencies should reflect plant-specific experience and should be quantified in a manner that is consistent with their use in the subsequent fire damage analysis (discussed below). The physical characterization of each scenario should also be in terms that will support the fire damage analysis (especially with respect to fire modeling).

Fire damage analysis determines the conditional probability that sets of potentially risk-significant components (including cables) will be damaged in a particular mode, given a specified fire scenario. The analysis needs to address components whose failure will cause an initiating event, affect the plants ability to mitigate an initiating event, or affect potentially risk-significant equipment (e.g., through suppression system actuation).

Damage from heat, smoke, and exposure to suppressants should be considered. If fire models are used to predict fire-induced damage, compartment-specific features (e.g.,

ventilation, geometry) and target-specific features (e.g., cable location relative to the fire) should be addressed. The fire suppression analysis should account for the scenario-specific time required to detect, respond to, and extinguish the fire. The models and data used to analyze fire growth, fire suppression, and fire-induced component damage should be consistent with experience from actual nuclear power plant fire experience as well as experiments.

49

Plant response analysis involves the modification of appropriate plant transient and LOCA PRA models to determine the conditional core damage probability, given damage to the set(s) of components defined in the fire damage analysis. All potentially significant fire-induced initiating events, including such "special" events as loss of plant support systems and interactions between multiple nuclear units during a fire event, should be addressed.

The analysis should address the availability of non-fire affected equipment (including control) and any required manual actions. For fire scenarios involving control room abandonment, the analysis should address the circuit interactions raised in NUREG/CR-5088,1 including the possibility of fire-induced damage prior to transfer to the alternative shutdown panel(s). The human reliability analysis of operator actions should address fire effects on operators (e.g., heat, smoke, loss of lighting, effect on instrumentation) and fire-specific operational issues (e.g., fire response operating procedures, training on these procedures, potential complications in coordinating activities). In addition, sources of uncertainty are identified and their impact on the results analyzed. The sensitivity of the model results to model boundary conditions and other key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations.

The combinations analyzed are chosen to fully account for interactions among the variables.

External Hazards Screening and bounding analysis identifies external events other than earthquake that may challenge plant operations and require successful mitigation by plant equipment and personnel to prevent core damage from occurring. The term "screening out" is used here for the process whereby an external event is excluded from further consideration in the PRA analysis. There are two fundamental screening criteria embedded in the requirements here: An event can be screened out either (1) if it meets the design criteria, or (2) if it can be shown using an analysis that the mean value of the design basis hazard used in the plant design is less than 10-5/year, and that the conditional core-damage probability is less than 10-1, given the occurrence of the design basis hazard. An external event that cannot be screened out using either of these criteria is subjected to the detailed-analysis.

Hazard analysis characterizes non-screened external events and seismic events, generally, as frequencies of occurrence of different sizes of events (e.g., earthquakes with various peak ground accelerations, hurricanes with various maximum wind speeds) at the site. The external events are site-specific and the hazard characterization addresses both aleatory and epistemic uncertainties.

Fragility analysis characterizes the conditional probability of failure of important SSCs whose failure may lead to unacceptable damage to the plant (e.g., core damage) given occurrence of an external event. For important SSCs, the fragility analysis is realistic and plant-specific. The fragility analysis is based on extensive plant-walkdowns reflecting as-built, as-operated conditions.

Level 1 model modification assures that the system models include all important external-event-caused initiating events that can lead to core damage or large early release. The system model includes external-event-induced SSC failures, non-external-event-induced 1

Fire Risk Scoping Study: Investigation of Nuclear Power Plant Risk Including Previously Unaddressed Issues, NUREG/CR-5088, January 1989.

50

failures (random failures), and human errors. The system analysis is well coordinated with the fragility analysis and is based on plant walkdowns. The results of the external event hazard analysis, fragility analysis, and system models are assembled to estimate frequencies of core damage and large early release. Uncertainties in each step are propagated through the process and displayed in the final results. The quantification process is capable of conducting necessary sensitivity analysis and to identify dominant sequences and contributors.

Documentation Traceability and defensibility provide the necessary information such that the results can easily be reproduced and justified. The sources of information used in the PRA are both referenced and retrievable. The methodology used to perform each aspect of the work is described either through documenting the actual process or through reference to existing methodology documents. Assumptions2 made in performing the analyses are identified and documented along with their justification to the extent that the context of the assumption is understood. The results (e.g., products and outcomes) from the various analyses are documented.

A.3 PEER REVIEW A peer review process can be used to identify weaknesses in the PRA and the importance of the weaknesses to the confidence in the PRA results. An acceptable peer review needs to be performed by qualified personnel, needs to be performed according to an established process that compares the PRA against desired characteristics and attributes, needs to document the results, and needs to identify both strengths and weaknesses of the PRA.

Table A-3 provides a summary of desired characteristics and attributes of a peer review.

Table A-3 Summary of Desired Characteristics and Attributes of a Peer Review Element Desired Characteristics and Attributes Team

• independent with no conflicts of interest Qualifications

• expertise in all the technical elements of a PRA, including integration

• knowledge of the plant design and operation

• knowledge of the peer review process 2

Assumptions include those decisions and judgments that were made in the course of the analysis.

51

Table A-3 Summary of Desired Characteristics and Attributes of a Peer Review Element Desired Characteristics and Attributes Peer Review

• is a documented process Process

• uses a set of desired PRA characteristics and attributes

• reviews PRA methods

• reviews application of methods

• reviews key assumptions

• determines if PRA represents as-built and as-operated plant

• reviews results of each PRA technical element for reasonableness

• reviews PRA maintenance and update process Documentatio

• describes the peer review team qualifications n

• describes the peer review process

• documents where PRA does not meet desired characteristics and attributes

• assesses and documents significance of deficiencies The team qualifications determine the credibility and acceptability of the peer reviewers. In order that the peer reviewers not give any perception of a technical conflict of interest, they should not have performed any actual work on the PRA. The members of the peer review team have technical expertise in the PRA elements they review, including experience in the specific methods that are used to perform the PRA elements. This technical expertise includes experience in performing (not just reviewing) the work in the element assigned for review. In addition, knowledge of the key features specific to the plant design and operation is essential. Finally, each member of the peer review team is knowledgeable of the peer review process, including the desired characteristics and attributes used to assess the acceptability of the PRA.

The peer review process includes a documented procedure to direct the team in evaluating the acceptability of a PRA. The review process compares the PRA against the desired PRA characteristics and attributes that are listed in this appendix and elaborated on in a PRA standard. In addition to reviewing the methods used in the PRA, the peer review also determines whether the application of those methods was done correctly. The PRA models are compared against the plant design and procedures to validate that they reflect the as-built and as-operated plant. Key assumptions are reviewed to determine whether they are appropriate and whether they have a significant impact on the PRA results. The PRA results are checked for fidelity with the model structure and also for consistency with the results from PRAs for similar plants. Finally, the peer review process examines the procedures or guidelines in place for updating the PRA to reflect changes in plant design, operation, or experience.

Documentation provides the necessary information such that the peer review process and the findings are both traceable and defensible. Descriptions of the qualifications of the peer review team members and the peer review process are documented. The results of the peer review for each technical element and the PRA update process are described, including those areas in which the PRA does not meet or exceed the desired 52

characteristics and attributes used in the review process. This includes an assessment of the importance of any identified deficiencies on the PRA results and potential uses and how these deficiencies were addressed and resolved.

A.4 INTEGRATED DECISIONMAKING PANEL Instances when the PRA may not appear to meet all significant elements that are considered important to the decision at hand typically benefit from the use of an integrated decisionmaking panel. In this instance, the panel would attempt to establish an appreciation of, and compensation for, either the uncertainty or potential inadequacy in relation to the specific application for which the PRA is planned. They would essentially try to establish the role the PRA results would play in the decision commensurate with their level of confidence in those results. If the panel approach is chosen, there are certain characteristics and attributes that the PRA should have.

Table A-4 provides a summary of the required characteristics and attributes of an integrated decisionmaking panel.

Table A-4 Summary of Desired Characteristics and Attributes of an Integrated Decisionmaking Panel To Use PRA Results Element Desired Characteristics and Attributes Panel Member

• diverse membership, including PRA, engineering, Qualifications operations, etc.

• wide knowledge of plant

• broad understanding of how changes in requirements and issues could affect SSC response

• training Panel Decision-

• decisionmaking process appropriate process making

• appropriate information available Process

• evaluation of risk significance represents appropriate consideration of issues Technical

• adequate for the scope of the analysis Information Bases Incorporatio

• evaluate in a systematic manner the safety n of non- significance of items not modeled in the PRA but PRA affected by a proposed application (e.g., SSCs, Modeled modes of operation)

Items 53

Table A-4 Summary of Desired Characteristics and Attributes of an Integrated Decisionmaking Panel To Use PRA Results Element Desired Characteristics and Attributes Identification

• process applied by the licensee to overcome of limitations of PRA is appropriate Limitations

• decisions made that do not follow straightforwardly from the PRA need a technical basis that shows how the PRA information and the supplementary information validly combine to support the finding

• no findings contradict the PRA in a fundamental way Documentation

• written procedure of the panel process

• report of the decision concluded by the panel and the basis for the conclusion Panel member qualifications identify the credentials needed of the panel members such that decisions reached by the panel are technically defensible. The panel includes members with diverse backgrounds such as PRA, engineering, and operations. Plant members have a wide knowledge of the plant and a broad understanding of how changes in requirements and issues could affect SSC response. Training is provided to the members for the activities they are required to perform. This training is of sufficient depth such that the member can make informed decisions by combining multiple, diverse knowledge sets.

The decisionmaking process is based on a written, systematic approach and shown to be appropriate for the decisions the panel is needed to render. The necessary technical information is made available to the panel and is examined to allow the applicable issues to be raised. The issues are disposed of using a systematic and defensible process, and documentation of findings made by the panel are traceable and reviewable. Any evaluation of the risk significance of issues appropriately considers probabilistic information, traditional engineering evaluations, sensitivity studies, operational experience, engineering judgment, and current regulatory requirements.

The technical information bases provide the necessary information for the panel to arrive at a defensible decision. This information is derived from various sources, including, for example, simplified or detailed engineering analyses, specific plant-operational expertise, and expert opinion, and is shown to be adequate for the scope of the analysis. Therefore, the technical information used is sufficient to allow analysis (e.g., quantification) of both success and failure scenarios to (1) identify the roles played by the SSCs, and (2) establish the safety significance of the SSCs, as well as to identify causal models to be used to establish the effects of any proposed changes.

Incorporation of non-PRA modeled items involves evaluating the safety significance of items not modeled in the PRA but affected by a proposed application. This systematic evaluation consists of searching for items that might contribute to initiating event occurrence, identifying mitigating system items that were not modeled in the PRA because their failure was not expected to dominate system failure in the baseline configuration, and 54

recognizing items in systems that do not play a direct role in accident mitigation but do interface with accident mitigating systems.

Identification of limitations specifies those aspects in the PRA that decrease the level of confidence in the results, and consequently, are to be addressed by the integrated decisionmaking panel process. These deficiencies may exist because (1) an item was not modeled in the PRA, (2) an item was inappropriately modeled, or (3) technology was inadequate to model in the PRA. The process used by the integrated decisionmaking panel to resolve the deficiency is based the type of deficiency identified and includes (1) modeling the item in the PRA or accounting for the effects of the item by other means (e.g., using surrogate components), (2) revising the PRA model to appropriately model the item, or (3) soliciting and using expert opinion to resolve items involving a lack of technology. When a decision is made by the panel that does not follow straightforwardly from the PRA, a technical basis is provided that shows how the PRA information and the supplementary information validly combine to support the finding. Further, no findings by the panel can contradict the PRA in a fundamental way.

Documentation provides the necessary information such that the integrated decisionmaking panel process and its findings are both traceable and defensible. The documentation includes a description of the qualifications of each panel member, the written procedures employed by the panel, and a report of any decisions made by the panel, including the basis for the conclusions.

55

APPENDIX BA USE OF RISK-IMPORTANCE MEASURES TO CATEGORIZE STRUCTURES, SYSTEMS, AND COMPONENTS WITH RESPECT TO SAFETY SIGNIFICANCE INTRODUCTION For several of the proposed applications of the risk-informed regulation process, one of the principal activities is the categorization of structures, systems, and components (SSCs) and human actions according to safety significance. The purpose of this appendix is to discuss one way that this categorization may be performed to be consistent with Principle 4 and the expectations discussed in Section 2.1 of Regulatory Guide 1.174.

Safety significance of an SSC can be thought of as being related to the role the SSC plays in preventing the occurrence of the undesired end state. Thus the position adopted in this regulatory guide is that all the SSCs and human actions considered when constructing the PRA model (including those that do not necessarily appear in the final quantified model, because they have been screened initially, assumed to be inherently reliable, or have been truncated from the solution of the model) have the potential to be safety significant since they play a role in preventing core damage.

In establishing the categorization, it is important to recognize the purpose behind the categorization, which is, generally, to sort the SSCs and human actions into groups such as those for which some relaxation of requirements is proposed, and those for which no such change is proposed. It is the proposed application that is the motivation for the categorization, and it is the potential impact of the application on the particular SSCs and human actions and on the measures of risk that ultimately determines which of the SSCs and human actions must be regarded as safety significant within the context of the application. This impact on overall risk should be evaluated in light of the principles and decision criteria identified in this guide. Thus, the most appropriate way to address the categorization is through a requantification of the risk measures.

However, the feasibility of performing such risk quantification has been questioned when a method for evaluating the impact of the change on SSC unavailability is not available for those applications. An acceptable alternative to requantification of risk is for the licensee to perform the categorization of the SSCs and human actions in an integrated manner, making use of an analytical technique, based on the use of PRA importance measures, as input. This appendix discusses the technical issues associated with the use of PRA importance measures.

TECHNICAL ISSUES ASSOCIATED WITH THE USE OF IMPORTANCE MEASURES In the implementation of the Maintenance Rule and in industry guides for risk-informed applications (for example, the PSA Applications Guide), the Fussell-Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most commonly identified measures in the relative risk ranking of SSCs. However, in the use of these importance measures for risk-informed applications, there are several issues that should be addressed. Most of the issues are related to technical problems that can be resolved by the use of sensitivity studies or by appropriate quantification techniques. These issues 56

are discussed in detail below. In addition, there are two issues, namely (1) that risk rankings apply only to individual contributions and not to combinations or sets of contributors, and (2) that risk rankings are not necessarily related to the risk changes that result from those contributor changes; the licensee should be aware of these issues and ensure that they have been addressed adequately. When performed and interpreted correctly, component-level importance measures can provide valuable input to the licensee.

Risk-ranking results from a PRA can be affected by many factors, the most important being model assumptions and techniques (e.g., for modeling of human reliability or common cause failures), the data used, or the success criteria chosen. The licensee should therefore make sure that the PRA is technically acceptable.

In addition to the use of a "quality" technically acceptable PRA, the robustness of categorization results should also be demonstrated for conditions and parameters that might not be addressed in the base PRA. Therefore, when importance measures are used to group components or human actions as low-safety-significant contributors, the information to be provided to the analysts performing qualitative categorization should include sensitivity studies or other evaluations to demonstrate the sensitivity of the importance results to the important PRA modeling techniques, assumptions, and data.

Issues that should be considered and addressed are listed here.

Truncation Limit: The licensee should determine that the truncation limit has been set low enough so that the truncated set of minimal cutsets contains all the significant contributors and their logical combinations for the application in question and is low enough to capture at least 95 percent of the CDF. Depending on the PRA level of detail (module level, component level, or piece-part level), this may translate into a truncation limit from 10-12 to 10-8 per reactor year. In addition, the truncated set of minimal cutsets should be determined to contain the important application-specific contributors and their logical combinations.

Risk Metrics: The licensee should ensure that risk in terms of both CDF and LERF is considered in the ranking process.

Completeness of Risk Model: The licensee should ensure that the PRA model is sufficiently complete to address all important modes of operation for the SSCs being analyzed. Safety-significant contributions from internal events, external events, and shutdown and low power initiators should be considered by using PRA or other engineering analyses.

Sensitivity Analysis for Component Data Uncertainties: The sensitivity of component categorizations to uncertainties in the parameter values should be addressed by the licensee. Licensees should be satisfied that SSC categorization is not affected by data uncertainties.

Sensitivity Analysis for Common Cause Failures: CCFs are modeled in PRAs to account for dependent failures of redundant components within a system. The licensee should determine that the safety-significant categorization has taken into account the combined effect of associated basic PRA events, such as failure to start and failure to run, including indirect contributions through associated CCF event probabilities. CCF probabilities can 57

affect PRA results by enhancing or obscuring the importance of components. A component may be ranked as a high risk contributor mainly because of its contribution to CCFs, or a component may be ranked as a low risk contributor mainly because it has negligible or no contribution to CCFs.

Sensitivity Analysis for Recovery Actions: PRAs typically model recovery actions, especially for dominant accident sequences. Quantification of recovery actions typically depends on the time available for diagnosis and for performing the action, as well as the training, procedures, and knowledge of operators. There is a certain degree of subjectivity involved in estimating the success probability for the recovery actions. The concerns in this case stem from situations in which very high success probabilities are assigned to a sequence, resulting in related components being ranked as low risk contributors.

Furthermore, it is not desirable for the categorization of SSCs to be affected by recovery actions that sometimes are only modeled for the dominant scenarios. Sensitivity analyses can be used to show how the SSC categorization would change if all recovery actions were removed. The licensee should ensure that the categorization has not been unduly affected by the modeling of recovery actions.

Multiple Component Considerations: As discussed previously, importance measures are typically evaluated on an individual SSC or human action basis. One potential concern raised by this is that single-event importance measures have the potential to dismiss all the elements of a system or group despite the fact that the system or group has a high importance when taken as a whole. (Conversely, there may be grounds for screening out groups of SSCs, owing to the unimportance of the systems of which they are elements.)

There are two potential approaches to addressing the multiple component issue. The first is to define suitable measures of system or group importance. The second is to choose appropriate criteria for categorization based on component-level importance measures. In both cases, it will be necessary for the licensee to demonstrate that the cumulative impact of the change has been adequately addressed.

While there are no widely accepted definitions of system or group importance measures, if any are proposed the licensee should make sure that the measures are capturing the impact of changes to the group in a logical way. As an example of the issues that arise, consider the following. For front-line systems, one possibility would be to define a Fussell-Vesely type measure of system importance as the sum of the frequencies of sequences involving failure of that system, divided by the sum of all sequence frequencies. Such a measure would need to be interpreted carefully if the numerator included contributions from failures of that system caused by support systems.

Similarly, a Birnbaum-like measure could be defined by quantifying sequences involving the system, conditional on its failure, and summing up those quantities. This would provide a measure of how often the system is critical. However, again the support systems make the situation more complex. To take a two-division plant as an example, front-line failures can occur as a result of failure of support division A in conjunction with failure of front-line division B. Working with a figure of merit based on "total failure of support system" would miss contributions of this type.

In the absence of appropriately defined group-level importance measures, reliance must be on a qualitative categorization by the licensee, as part of the integrated decisionmaking process, to make the appropriate determination.

58

Relationship of Importance Measures to Risk Changes: Importance measures do not directly relate to changes in risk. Instead, the risk impact is indirectly reflected in the choice of the value of the measure used to determine whether an SSC should be classified as being of high and low safety significance. This is a concern whether importances are evaluated at the component or at the group level. The PSA Applications Guide suggested values of Fussell-Vesely importance of 0.05 at the system level and 0.005 at the component level, for example. However, the criteria for categorization into low and high significance should be related to the acceptance criteria for changes in CDF and LERF. This implies that the criteria should be a function of the base case CDF and LERF rather than being fixed for all plants. Thus the licensee should demonstrate how the chosen criteria are related to, and conform with, the acceptance guidelines described in this document. If component-level criteria are used, they should be established taking into account that the allowable risk increase associated with the change should be based on simultaneous changes to all members of the category.

SSCs Not Included in the Final Quantified Cutset Solution: Importance measures based on the quantified cutsets will not factor in those SSCs that have either been truncated or were not included in the fault tree models because they were screened on the basis of high reliability. SSCs that have been screened because their credible failure modes would not fail the system function can be argued to be unimportant. The licensee must make sure that these SSCs are considered.

59

REGULATORY ANALYSIS A draft regulatory analysis was published with the draft of this guide when it was published for public comment (Task DG-1061, June 1997). No changes were necessary to the regulatory analysis, so a separate regulatory analysis has not been prepared for this proposed Revision 1 to Regulatory Guide 1.174. A copy of the draft regulatory analysis is available for inspection or copying for a fee in the NRCs Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDRs mailing address is USNRC PDR, Washington, DC 20555; telephone (301)415-4737 or 1-(800)397-4209; fax (301)415-3548; e-mail

<PDR@NRC.GOV>.

60